Release NixOS 24.05

(cherry picked from commit 899c542291)

.github/CODEOWNERS

@@ -306,8 +306,8 @@ nixos/modules/services/networking/networkmanager.nix @Janik-Haag
 /pkgs/applications/networking/cluster/terraform-providers @zowoq
 
 # Forgejo
-nixos/modules/services/misc/forgejo.nix      @bendlas @emilylange
-pkgs/applications/version-management/forgejo @bendlas @emilylange
+nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange
+pkgs/by-name/fo/forgejo/package.nix     @adamcstephens @bendlas @emilylange
 
 # Dotnet
 /pkgs/build-support/dotnet                  @IvarWithoutBones

README.md

@@ -52,9 +52,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
 system, [Hydra](https://hydra.nixos.org/).
 
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 23.11 release](https://hydra.nixos.org/jobset/nixos/release-23.11)
+* [Continuous package builds for the NixOS 24.05 release](https://hydra.nixos.org/jobset/nixos/release-24.05)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 23.11 release](https://hydra.nixos.org/job/nixos/release-23.11/tested#tabs-constituents)
+* [Tests for the NixOS 24.05 release](https://hydra.nixos.org/job/nixos/release-24.05/tested#tabs-constituents)
 
 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are

doc/build-helpers/testers.chapter.md

@@ -40,6 +40,82 @@ If the `moduleNames` argument is omitted, `hasPkgConfigModules` will use `meta.p
 
 :::
 
+## `lycheeLinkCheck` {#tester-lycheeLinkCheck}
+
+Check a packaged static site's links with the [`lychee` package](https://search.nixos.org/packages?show=lychee&type=packages&query=lychee).
+
+You may use Nix to reproducibly build static websites, such as for software documentation.
+Some packages will install documentation in their `out` or `doc` outputs, or maybe you have dedicated package where you've made your static site reproducible by running a generator, such as [Hugo](https://gohugo.io/) or [mdBook](https://rust-lang.github.io/mdBook/), in a derivation.
+
+If you have a static site that can be built with Nix, you can use `lycheeLinkCheck` to check that the hyperlinks in your site are correct, and do so as part of your Nix workflow and CI.
+
+:::{.example #ex-lycheelinkcheck}
+
+# Check hyperlinks in the `nix` documentation
+
+```nix
+testers.lycheeLinkCheck {
+  site = nix.doc + "/share/doc/nix/manual";
+}
+```
+
+:::
+
+### Return value {#tester-lycheeLinkCheck-return}
+
+This tester produces a package that does not produce useful outputs, but only succeeds if the hyperlinks in your site are correct. The build log will list the broken links.
+
+It has two modes:
+
+- Build the returned derivation; its build process will check that internal hyperlinks are correct. This runs in the sandbox, so it will not check external hyperlinks, but it is quick and reliable.
+
+- Invoke the `.online` attribute with [`nix run`](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-run) ([experimental](https://nixos.org/manual/nix/stable/contributing/experimental-features#xp-feature-nix-command)). This runs outside the sandbox, and checks that both internal and external hyperlinks are correct.
+  Example:
+
+  ```shell
+  nix run nixpkgs#lychee.tests.ok.online
+  ```
+
+### Inputs {#tester-lycheeLinkCheck-inputs}
+
+`site` (path or derivation) {#tester-lycheeLinkCheck-param-site}
+
+: The path to the files to check.
+
+`remap` (attribe set, optional) {#tester-lycheeLinkCheck-param-remap}
+
+: An attribute set where the attribute names are regular expressions.
+  The values should be strings, derivations, or path values.
+
+  In the returned check's default configuration, external URLs are only checked when you run the `.online` attribute.
+
+  By adding remappings, you can check offline that URLs to external resources are correct, by providing a stand-in from the file system.
+
+  Before checking the existence of a URL, the regular expressions are matched and replaced by their corresponding values.
+
+  Example:
+
+  ```nix
+  {
+    "https://nix\\.dev/manual/nix/[a-z0-9.-]*" = "${nix.doc}/share/doc/nix/manual";
+    "https://nixos\\.org/manual/nix/(un)?stable" = "${emptyDirectory}/placeholder-to-disallow-old-nix-docs-urls";
+  }
+  ```
+
+  Store paths in the attribute values are automatically prefixed with `file://`, because lychee requires this for paths in the file system.
+  If this is a problem, or if you need to control the order in which replacements are performed, use `extraConfig.remap` instead.
+
+`extraConfig` (attribute set) {#tester-lycheeLinkCheck-param-extraConfig}
+
+: Extra configuration to pass to `lychee` in its [configuration file](https://github.com/lycheeverse/lychee/blob/master/lychee.example.toml).
+  It is automatically [translated](https://nixos.org/manual/nixos/stable/index.html#sec-settings-nix-representable) to TOML.
+
+  Example: `{ "include_verbatim" = true; }`
+
+`lychee` (derivation, optional) {#tester-lycheeLinkCheck-param-lychee}
+
+: The `lychee` package to use.
+
 ## `testVersion` {#tester-testVersion}
 
 Checks that the output from running a command contains the specified version string in it as a whole word.
@@ -129,7 +205,7 @@ runCommand "example" {
 
 :::
 
-## `testEqualContents` {#tester-equalContents}
+## `testEqualContents` {#tester-testEqualContents}
 
 Check that two paths have the same contents.
 

lib/licenses.nix

@@ -902,6 +902,17 @@ in mkLicense lset) ({
     free = false;
   };
 
+  ncbiPd = {
+    spdxId = "NCBI-PD";
+    fullname = "NCBI Public Domain Notice";
+    # Due to United States copyright law, anything with this "license" does not have a copyright in the
+    # jurisdiction of the United States. However, other jurisdictions may assign the United States
+    # government copyright to the work, and the license explicitly states that in such a case, no license
+    # is granted. This is nonfree and nonredistributable in most jurisdictions other than the United States.
+    free = false;
+    redistributable = false;
+  };
+
   ncsa = {
     spdxId = "NCSA";
     fullName = "University of Illinois/NCSA Open Source License";

lib/systems/default.nix

@@ -93,6 +93,7 @@ let
         else if final.isAndroid             then "bionic"
         else if final.isLinux /* default */ then "glibc"
         else if final.isFreeBSD             then "fblibc"
+        else if final.isOpenBSD             then "oblibc"
         else if final.isNetBSD              then "nblibc"
         else if final.isAvr                 then "avrlibc"
         else if final.isGhcjs               then null

lib/systems/examples.nix

@@ -342,6 +342,11 @@ rec {
     useLLVM = true;
   };
 
+  x86_64-openbsd = {
+    config = "x86_64-unknown-openbsd";
+    useLLVM = true;
+  };
+
   #
   # WASM
   #

lib/systems/parse.nix

@@ -469,6 +469,7 @@ rec {
               elem (elemAt l 2) [ "wasi" "redox" "mmixware" "ghcjs" "mingw32" ] ||
               hasPrefix "freebsd" (elemAt l 2) ||
               hasPrefix "netbsd" (elemAt l 2) ||
+              hasPrefix "openbsd" (elemAt l 2) ||
               hasPrefix "genode" (elemAt l 2)
       then {
         cpu    = elemAt l 0;

maintainers/maintainer-list.nix

@@ -4568,9 +4568,14 @@
     github = "DataHearth";
     githubId = 28595242;
     name = "DataHearth";
-    keys = [{
-      fingerprint = "A129 2547 0298 BFEE 7EE0  92B3 946E 2D0C 410C 7B3D";
-    }];
+    keys = [
+      {
+        fingerprint = "A129 2547 0298 BFEE 7EE0 92B3 946E 2D0C 410C 7B3D";
+      }
+      {
+        fingerprint = "FFC4 92C1 5320 B05D 0F8D 7D58 ABF6 737C 6339 6D35";
+      }
+    ];
   };
   davegallant = {
     name = "Dave Gallant";
@@ -7731,6 +7736,14 @@
       fingerprint = "7FC7 98AB 390E 1646 ED4D  8F1F 797F 6238 68CD 00C2";
     }];
   };
+  greaka = {
+    email = "git@greaka.de";
+    github = "greaka";
+    githubId = 2805834;
+    name = "Greaka";
+    keys =
+      [{ fingerprint = "6275 FB5C C9AC 9D85 FF9E  44C5 EE92 A5CD C367 118C"; }];
+  };
   greg = {
     email = "greg.hellings@gmail.com";
     github = "greg-hellings";
@@ -9963,6 +9976,12 @@
     githubId = 8580434;
     name = "Jonny Bolton";
   };
+  jonochang = {
+    name = "Jono Chang";
+    email = "j.g.chang@gmail.com";
+    github = "jonochang";
+    githubId = 13179;
+  };
   jonringer = {
     email = "jonringer117@gmail.com";
     matrix = "@jonringer:matrix.org";
@@ -11920,6 +11939,14 @@
     githubId = 10626;
     name = "Andreas Wagner";
   };
+  lpostula = {
+    email = "lois@postu.la";
+    github = "loispostula";
+    githubId = 1423612;
+    name = "Loïs Postula";
+    keys =
+      [{ fingerprint = "0B4A E7C7 D3B7 53F5 3B3D  774C 3819 3C6A 09C3 9ED1"; }];
+  };
   lrewega = {
     email = "lrewega@c32.ca";
     github = "lrewega";
@@ -12845,6 +12872,12 @@
       fingerprint = "1DE4 424D BF77 1192 5DC4  CF5E 9AED 8814 81D8 444E";
     }];
   };
+  maxstrid = {
+    email = "mxwhenderson@gmail.com";
+    github = "maxstrid";
+    githubId = 115441224;
+    name = "Maxwell Henderson";
+  };
   maxux = {
     email = "root@maxux.net";
     github = "maxux";

maintainers/scripts/luarocks-packages.csv

@@ -112,6 +112,7 @@ nvim-nio,,,,,,mrcjkb
 pathlib.nvim,,,,,,
 penlight,,,,,,alerque
 plenary.nvim,https://raw.githubusercontent.com/nvim-lua/plenary.nvim/master/plenary.nvim-scm-1.rockspec,,,,5.1,
+psl,,,,0.3,,
 rapidjson,,,,,,
 rest.nvim,,,,,5.1,teto
 rocks.nvim,,,,,,mrcjkb

maintainers/team-list.nix

@@ -345,6 +345,16 @@ with lib.maintainers; {
     shortName = "freedesktop.org packaging";
   };
 
+  fslabs = {
+    # Verify additions to this team with at least one already existing member of the team.
+    members = [
+      greaka
+      lpostula
+    ];
+    scope = "Group registration for packages maintained by Foresight Spatial Labs.";
+    shortName = "Foresight Spatial Labs employees";
+  };
+
   gcc = {
     members = [
       synthetica

nixos/README.md

@@ -48,7 +48,7 @@ Reviewing process:
   - Description, default and example should be provided.
 - Ensure that option changes are backward compatible.
   - `mkRenamedOptionModuleWith` provides a way to make renamed option backward compatible.
-  - Use `lib.versionAtLeast config.system.stateVersion "23.11"` on backward incompatible changes which may corrupt, change or update the state stored on existing setups.
+  - Use `lib.versionAtLeast config.system.stateVersion "24.05"` on backward incompatible changes which may corrupt, change or update the state stored on existing setups.
 - Ensure that removed options are declared with `mkRemovedOptionModule`.
 - Ensure that changes that are not backward compatible are mentioned in release notes.
 - Ensure that documentations affected by the change is updated.

nixos/doc/manual/installation/upgrading.chapter.md

@@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated
 automatically from NixOS's Git repository after certain tests have
 passed and all packages have been built. These channels are:
 
--   *Stable channels*, such as [`nixos-23.11`](https://channels.nixos.org/nixos-23.11).
+-   *Stable channels*, such as [`nixos-24.05`](https://channels.nixos.org/nixos-24.05).
     These only get conservative bug fixes and package upgrades. For
     instance, a channel update may cause the Linux kernel on your system
     to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@@ -19,7 +19,7 @@ passed and all packages have been built. These channels are:
     radical changes between channel updates. It's not recommended for
     production systems.
 
--   *Small channels*, such as [`nixos-23.11-small`](https://channels.nixos.org/nixos-23.11-small)
+-   *Small channels*, such as [`nixos-24.05-small`](https://channels.nixos.org/nixos-24.05-small)
     or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small).
     These are identical to the stable and unstable channels described above,
     except that they contain fewer binary packages. This means they get updated
@@ -38,8 +38,8 @@ supported stable release.
 
 When you first install NixOS, you're automatically subscribed to the
 NixOS channel that corresponds to your installation source. For
-instance, if you installed from a 23.11 ISO, you will be subscribed to
-the `nixos-23.11` channel. To see which NixOS channel you're subscribed
+instance, if you installed from a 24.05 ISO, you will be subscribed to
+the `nixos-24.05` channel. To see which NixOS channel you're subscribed
 to, run the following as root:
 
 ```ShellSession
@@ -54,16 +54,16 @@ To switch to a different NixOS channel, do
 ```
 
 (Be sure to include the `nixos` parameter at the end.) For instance, to
-use the NixOS 23.11 stable channel:
+use the NixOS 24.05 stable channel:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-23.11 nixos
+# nix-channel --add https://channels.nixos.org/nixos-24.05 nixos
 ```
 
 If you have a server, you may want to use the "small" channel instead:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-23.11-small nixos
+# nix-channel --add https://channels.nixos.org/nixos-24.05-small nixos
 ```
 
 And if you want to live on the bleeding edge:
@@ -117,6 +117,6 @@ modules. You can also specify a channel explicitly, e.g.
 
 ```nix
 {
-  system.autoUpgrade.channel = "https://channels.nixos.org/nixos-23.11";
+  system.autoUpgrade.channel = "https://channels.nixos.org/nixos-24.05";
 }
 ```

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -1,4 +1,4 @@
-# Release 24.05 (“Uakari”, 2024.05/??) {#sec-release-24.05}
+# Release 24.05 (“Uakari”, 2024.05/31) {#sec-release-24.05}
 
 Support is planned until the end of December 2024, handing over to 24.11.
 
@@ -6,11 +6,11 @@ Support is planned until the end of December 2024, handing over to 24.11.
 
 In addition to numerous new and upgraded packages, this release has the following highlights:
 
-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+<!-- Please keep entries alphabetically sorted. -->
 
 - The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available.
 
-- For each supporting version of the Linux kernel firmware blobs
+- For each supporting version of the Linux kernel, firmware blobs
   are compressed with zstd. For firmware blobs this means an increase of 4.4% in size, however
   a significantly higher decompression speed.
 
@@ -22,13 +22,13 @@ In addition to numerous new and upgraded packages, this release has the followin
 
   This makes `nix run nixpkgs#hello` and `nix-build '<nixpkgs>' -A hello` work out of the box with no added configuration, reusing dependencies already on the system.
 
-  This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.
+  This may be undesirable if Nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.
 
-  To disable this, set [nixpkgs.flake.setNixPath](#opt-nixpkgs.flake.setNixPath) and [nixpkgs.flake.setFlakeRegistry](#opt-nixpkgs.flake.setFlakeRegistry) to false.
+  To disable it, set [nixpkgs.flake.setNixPath](#opt-nixpkgs.flake.setNixPath) and [nixpkgs.flake.setFlakeRegistry](#opt-nixpkgs.flake.setFlakeRegistry) to false.
 
 - NixOS AMIs are now uploaded regularly to a new AWS Account.
   Instructions on how to use them can be found on <https://nixos.github.io/amis>.
-  We are working on integration the data into the NixOS homepage.
+  We are working on integrating the data into the NixOS homepage.
   The list in `nixos/modules/virtualisation/amazon-ec2-amis.nix` will stop
   being updated and will be removed in the future.
 
@@ -42,18 +42,24 @@ In addition to numerous new and upgraded packages, this release has the followin
   }
   ```
 
+- Cinnamon has been updated to 6.0. Please be aware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions.
+
+- GNOME has been updated to 46 "Kathmandu", which introduces an enhanced Files app, support for OneDrive in Online Accounts, and more changes. Refer to the [release notes](https://release.gnome.org/46/) for more details.
+
 - Lomiri (formerly known as Unity8) desktop mode, using Mir 2.x to function as a Wayland compositor, is now available and can be installed with `services.desktopManager.lomiri.enable = true`. Note that some core applications, services and indicators have yet to be packaged, and some functions may remain incomplete, but the base experience should be there.
 
+- LXQt has been updated to 2.0, which is based on Qt 6 and features Wayland support for many applications.
+
 - MATE has been updated to 1.28.
-  - To properly support panel plugins built with Wayland (in-process) support, we are introducing `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets.
-  - Similarly, please use `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions.
-  - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM for display manager.
+  - To properly support panel plugins built with Wayland (in-process) support, we are introducing the `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets.
+  - Similarly, please use the `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions.
+  - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early an stage and introduces a new set of Wayfire closures. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM as the display manager.
 
 - Plasma 6 is now available and can be installed with `services.xserver.desktopManager.plasma6.enable = true;`. Plasma 5 will likely be deprecated in the next release (24.11). Note that Plasma 6 runs as Wayland by default, and the X11 session needs to be explicitly selected if necessary.
 
 ## New Services {#sec-release-24.05-new-services}
 
-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+<!-- Please keep entries alphabetically sorted. -->
 
 - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).
 The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server software.
@@ -65,7 +71,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - [armagetronad](https://wiki.armagetronad.org), a mid-2000s 3D lightcycle game widely played at iD Tech Camps. You can define multiple servers using `services.armagetronad.<server>.enable`.
 
 - [BenchExec](https://github.com/sosy-lab/benchexec), a framework for reliable benchmarking and resource measurement, available as [programs.benchexec](#opt-programs.benchexec.enable),
-  As well as related programs
+  as well as related programs
   [CPU Energy Meter](https://github.com/sosy-lab/cpu-energy-meter), available as [programs.cpu-energy-meter](#opt-programs.cpu-energy-meter.enable), and
   [PQoS Wrapper](https://gitlab.com/sosy-lab/software/pqos-wrapper), available as [programs.pqos-wrapper](#opt-programs.pqos-wrapper.enable).
 
@@ -75,7 +81,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable).
 
-- [CommaFeed](https://github.com/Athou/commafeed), a Google Reader inspired self-hosted RSS reader. Available as [services.commafeed](#opt-services.commafeed.enable).
+- [CommaFeed](https://github.com/Athou/commafeed), a Google Reader-inspired self-hosted RSS reader. Available as [services.commafeed](#opt-services.commafeed.enable).
 
 - [davis](https://github.com/tchapi/davis), a simple CardDav and CalDav server inspired by Baïkal. Available as [services.davis](#opt-services.davis.enable).
 
@@ -85,6 +91,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [FCast Receiver](https://fcast.org), an open-source alternative to Chromecast and AirPlay. Available as [programs.fcast-receiver](#opt-programs.fcast-receiver.enable).
 
+- [FileSender](https://filesender.org/), a file sharing software. Available as [services.filesender](#opt-services.filesender.enable).
+
 - [Firefly-iii](https://www.firefly-iii.org), a free and open source personal finance manager. Available as [services.firefly-iii](#opt-services.firefly-iii.enable).
 
 - [Flarum](https://flarum.org/), a delightfully simple discussion platform for your website. Available as [services.flarum](#opt-services.flarum.enable).
@@ -109,7 +117,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/1436834-jottacloud-command-line-tool), a CLI for the [Jottacloud](https://jottacloud.com/) cloud storage provider. Available as [services.jotta-cli](#opt-services.jotta-cli.enable).
 
-- [keto](https://www.ory.sh/keto/), a permission & access control server, the first open source implementation of ["Zanzibar: Google's Consistent, Global Authorization System"](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/).
+- [keto](https://www.ory.sh/keto/), a permission & access control server, the first open source implementation of [*Zanzibar: Google's Consistent, Global Authorization System*](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/).
 
 - [manticoresearch](https://manticoresearch.com), easy to use open source fast database for search. Available as [services.manticore](#opt-services.manticore.enable).
 
@@ -147,7 +155,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable).
 
-- [Prometheus DNSSEC Exporter](https://github.com/chrj/prometheus-dnssec-exporter), check for validity and expiration in DNSSEC signatures and expose metrics for Prometheus. Available as [services.prometheus.exporters.dnssec](#opt-services.prometheus.exporters.dnssec.enable).
+- [Prometheus DNSSEC Exporter](https://github.com/chrj/prometheus-dnssec-exporter): check for validity and expiration in DNSSEC signatures and expose metrics for Prometheus. Available as [services.prometheus.exporters.dnssec](#opt-services.prometheus.exporters.dnssec.enable).
 
 - [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter), a Prometheus exporter for NATS. Available as [services.prometheus.exporters.nats](#opt-services.prometheus.exporters.nats.enable).
 
@@ -187,6 +195,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [wastebin](https://github.com/matze/wastebin), a pastebin server written in rust. Available as [services.wastebin](#opt-services.wastebin.enable).
 
+- [watchdogd](https://troglobit.com/projects/watchdogd/), a system and process supervisor using watchdog timers. Available as [services.watchdogd](#opt-services.watchdogd.enable).
+
 - [Workout-tracker](https://github.com/jovandeginste/workout-tracker), a workout tracking web application for personal use.
 
 - [wyoming-satellite](https://github.com/rhasspy/wyoming-satellite), a voice assistant satellite for Home Assistant using the Wyoming protocol. Available as [services.wyoming.satellite](#opt-services.wyoming.satellite.enable).
@@ -197,8 +207,6 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [your_spotify](https://github.com/Yooooomi/your_spotify), a self hosted Spotify tracking dashboard. Available as [services.your_spotify](#opt-services.your_spotify.enable)
 
-- [FileSender](https://filesender.org/), a file sharing software. Available as [services.filesender](#opt-services.filesender.enable).
-
 ## Backward Incompatibilities {#sec-release-24.05-incompatibilities}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -223,10 +231,10 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `buildGoModule` now throws an error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias.
 
-- `chromium` and `ungoogled-chromium` had a long standing issue regarding Widevine DRM handling in nixpkgs fixed.
+- `chromium` and `ungoogled-chromium` had a long-standing issue regarding Widevine DRM handling in nixpkgs fixed.
   `chromium` now no longer automatically downloads Widevine when encountering DRM protected content.
-  To be able to play DRM protected content in `chromium` now, you have to explicitly opt-in as originally intended using `chromium.override { enableWideVine = true; }`.
-  This override has been added almost 10 years ago.
+  To be able to play DRM protected content in `chromium`, you now have to explicitly opt-in as originally intended using `chromium.override { enableWideVine = true; }`.
+  This override was added almost 10 years ago.
 
 - `craftos-pc` package has been updated to v2.8, which includes [breaking changes](https://github.com/MCJack123/craftos2/releases/tag/v2.8).
   - Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
@@ -248,16 +256,16 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - `cudaPackages.cudatoolkit` has been deprecated and replaced with a
   symlink-based wrapper for the splayed redistributable CUDA packages. The
   wrapper only includes tools and libraries necessary to build common packages
-  like e.g. tensorflow. The original runfile-based `cudatoolkit` is still
+  such as tensorflow. The original runfile-based `cudatoolkit` is still
   available as `cudatoolkit-legacy-runfile`.
 
-- `cudaPackages.nsight_systems` now has most vendored third party libraries removed, though we now only ship it for `cudaPackages_11_8` and later due to outdated dependencies. Users comfortable with the vendored dependencies may use `overrideAttrs` to amend the `postPatch` phase and the `meta.broken` correspondingly. Alternatively, one could package the deprecated `boost170` locally, as required for `cudaPackages_11_4.nsight_systems`.
+- `cudaPackages.nsight_systems` now has most vendored third-party libraries removed, though we now only ship it for `cudaPackages_11_8` and later, due to outdated dependencies. Users comfortable with the vendored dependencies may use `overrideAttrs` to amend the `postPatch` phase and the `meta.broken` correspondingly. Alternatively, one could package the deprecated `boost170` locally, as required for `cudaPackages_11_4.nsight_systems`.
 
 - `cudaPackages.autoFixElfFiles` has been deprecated for `pkgs.autoFixElfFiles`. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope.
 
-- `davfs2`' `services.davfs2.extraConfig` setting has been deprecated and converted to the free-form type option named `services.davfs2.settings` according to RFC42.
+- `davfs2`'s `services.davfs2.extraConfig` setting has been deprecated and converted to the free-form type option named `services.davfs2.settings` according to RFC42.
 
-- `dwarf-fortress` has been updated to version 50, and its derivations continue to menace with spikes of Nix and bash. Version 50 is identical to the version on Steam, but without the paid elements like tilepacks.
+- `dwarf-fortress` has been updated to version 50, which is identical to the version on Steam, but without the paid elements like tilepacks.
   dfhack and Dwarf Therapist still work, and older versions are still packaged in case you'd like to roll back. Note that DF 50 saves will not be compatible with DF 0.47 and earlier.
   See [Bay 12 Games](http://www.bay12games.com/dwarves/) for more details on what's new in Dwarf Fortress.
 
@@ -267,14 +275,14 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `erlang-ls` package no longer ships the `els_dap` binary as of v0.51.0.
 
-- `erlang_node_short_name`, `erlang_node_name`, `port` and `options` configuration parameters are gone, and have been replaced with an `environment` parameter.
+- `erlang_node_short_name`, `erlang_node_name`: `port` and `options` configuration parameters are gone, and have been replaced with an `environment` parameter.
     Use the appropriate [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) inside `environment` to configure the service instead.
 
 - `firefox-devedition`, `firefox-beta`, `firefox-esr` executable file names for now match their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.
 
-- `gauge` now supports installing plugins using nix. For the old imperative approach, switch to `gauge-unwrapped`.
+- `gauge` now supports installing plugins using Nix. For the old imperative approach, switch to `gauge-unwrapped`.
   You can load plugins from an existing gauge manifest file using `gauge.fromManifest ./path/to/manifest.json` or
-  specify plugins in nix using `gauge.withPlugins (p: with p; [ js html-report xml-report ])`.
+  specify plugins in Nix using `gauge.withPlugins (p: with p; [ js html-report xml-report ])`.
 
 - `gitea` has been updated to 1.21, which introduces several breaking changes, including:
   - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`
@@ -300,7 +308,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `himalaya` has been updated to v1.0.0-beta.4, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.4) for details.
 
-- `halloy` has been updated to 2024.5, which introduced a breaking change by switching the config format from YAML to TOML. See https://github.com/squidowl/halloy/releases/tag/2024.5 for details.
+- `halloy` has been updated to 2024.5, which introduced a breaking change by switching the config format from YAML to TOML. See <https://github.com/squidowl/halloy/releases/tag/2024.5> for details.
 
 - `hvm` was updated to version 2.
 
@@ -308,7 +316,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details.
 
-- `inetutils` now has a lower priority to avoid shadowing the commonly used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`.
+- `inetutils` now has a lower priority to avoid shadowing the commonly-used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`.
 
 - `jdt-language-server` package now uses upstream's provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes:
 
@@ -320,7 +328,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `julia` environments can now be built with arbitrary packages from the ecosystem using the `.withPackages` function. For example: `julia.withPackages ["Plots"]`.
 
-- `k3s` has been updated to version [v1.30](https://github.com/k3s-io/k3s/releases/tag/v1.30.0%2Bk3s1), previous supported versions are available under release specific names (e.g. k3s_1_27, k3s_1_28, and k3s_1_29) and present to help you migrate to the latest supported version. See [changelog and upgrade notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290) for more information.
+- `k3s` has been updated to version [v1.30](https://github.com/k3s-io/k3s/releases/tag/v1.30.0%2Bk3s1), previous supported versions are available under release-specific names (e.g. k3s_1_27, k3s_1_28, and k3s_1_29) in order to help you migrate to the latest supported version. See [changelog and upgrade notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290) for more information.
 
 - `k9s` was updated to v0.31. There have been various breaking changes in the config file format,
   check out the changelog of [v0.29](https://github.com/derailed/k9s/releases/tag/v0.29.0),
@@ -334,12 +342,12 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `livebook` package is now built as a `mix release` instead of an `escript`.
   This means that configuration now has to be done using [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) instead of command line arguments.
-  This has the further implication that the `livebook` service configuration has changed:
+  This has the further consequence that the `livebook` service configuration has changed.
 
 - `lua` interpreters default LUA_PATH and LUA_CPATH are not overriden by nixpkgs
   anymore, we patch LUA_ROOT instead which is more respectful to upstream.
 
-- `luarocks-packages-updater` has changed the .csv format used to define lua packages updates: `src` (URL towards a git repository) has now become `rockspec` (URL towards a rockspec) to remove ambiguity regarding which rockspec to use and simplify implementation.
+- `luarocks-packages-updater`'s .csv format, used to define lua packages to be updated, has changed: `src` (URL of a git repository) has now become `rockspec` (URL of a rockspec) to remove ambiguity regarding which rockspec to use and simplify implementation.
 
 - `mkosi` was updated to v22. Parts of the user interface have changed. Consult the
   release notes of [v19](https://github.com/systemd/mkosi/releases/tag/v19),
@@ -349,7 +357,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `mongodb-4_4` has been removed as it has reached end of life. Consequently, `unifi7` and `unifi8` now use MongoDB 5.0 by default.
 
-- `mongodb-5_0` and newer requires a cpu with the avx instruction set to run.
+- `mongodb-5_0` and newer requires a cpu with the AVX instruction set to run.
 
 - `neo4j` has been updated to version 5. You may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/).
 
@@ -369,7 +377,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   `CONFIG_FILE_NAME` includes `bpf_pinning`, `ematch_map`, `group`, `nl_protos`, `rt_dsfield`, `rt_protos`, `rt_realms`, `rt_scopes`, and `rt_tables`.
 
 - `nextcloud26` has been removed since it's not maintained anymore by upstream. The latest available version of Nextcloud is now v29 (available as `pkgs.nextcloud29`). The installation logic is as follows:
-  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
+  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**).
   - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud29` will be installed by default.
   - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default.
   - Please note that an upgrade from v27 (or older) to v29 directly is not possible. Please upgrade to `nextcloud28` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud28;`](options.html#opt-services.nextcloud.package).
@@ -388,7 +396,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
   - `nomad_1_4` has been removed, as it is now unsupported upstream.
 
-- `nvtop` family of packages was reorganized into nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are now named as `nvtopPackages.{amd,nvidia,intel,msm}`.
+- `nvtop` family of packages was reorganized into a nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are renamed to `nvtopPackages.{amd,nvidia,intel,msm}`.
 
 - `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading
   to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`.
@@ -406,7 +414,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - `pipewire` and `wireplumber` modules have removed support for using
 `environment.etc."pipewire/..."` and `environment.etc."wireplumber/..."`.
 Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for PipeWire and
-`services.pipewire.wireplumber.configPackages` for WirePlumber instead."
+`services.pipewire.wireplumber.configPackages` for WirePlumber instead.
 
 - `power.ups` now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS.
 
@@ -438,19 +446,19 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 - `frr` was updated to 10.0, which introduces the default of `enforce-first-as` for BGP. Please disable again if needed.
 
 - `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`.
-  This was done so that secrets aren't stored in the world-readable nix store.
+  This was done so that secrets aren't stored in the world-readable Nix store.
   To migrate, you will have to create a file with the same exact string, and change
   your module options to point to that file. For example, `services.aria2.rpcSecret =
   "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
   where the file `secret_file` contains the string `mysecret`.
 
-- `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively.
+- `services.avahi.nssmdns` was split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switches for IPv4 and IPv6 respectively.
   Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.
 
-- `services.frp.settings` now generates the frp configuration file in TOML format as [recommended by upstream](https://github.com/fatedier/frp#configuration-files), instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options.
-  - The `settings.common` section in the configuration is no longer valid and all the options form inside it now goes directly under `settings`.
-  - The `_` separating words in the configuration options is removed so the options are now in camel case. For example: `server_addr` becomes `serverAddr`, `server_port` becomes `serverPort` etc.
-  - Proxies are now defined with a new option `settings.proxies` which takes a list of proxies.
+- `services.frp.settings` now generates the frp configuration file in TOML format as [recommended by upstream](https://github.com/fatedier/frp#configuration-files), instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options:
+  - The `settings.common` section in the configuration is no longer valid and all the options form inside it now go directly under `settings`.
+  - Configuration option names have been changed from snake_case to camelCase. For example: `server_addr` becomes `serverAddr`, `server_port` becomes `serverPort` etc.
+  - Proxies are now defined with a new option, `settings.proxies`, which takes a list of proxies.
   - Consult the [upstream documentation](https://github.com/fatedier/frp#example-usage) for more details on the changes.
 
 - `services.hledger-web.capabilities` options has been replaced by a new option `services.hledger-web.allow`.
@@ -505,13 +513,16 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `services.redis.vmOverCommit` now defaults to `true` and no longer enforces Transparent Hugepages (THP) to be disabled. Redis only works with THP configured to `madvise` which is the kernel's default.
 
-- `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.
+- `services.resolved.fallbackDns`
+  - can now be used to disable the upstream fallback servers entirely by setting it to `[]`
+  - to get previous behaviour of upstream defaults, set it to `null`
+  - default value has changed from `[]` to `null`, in order to preserve default behaviour
 
 - `services.vikunja` systemd service now uses `vikunja` as dynamic user instead of `vikunja-api`. Database users might need to be changed.
 
-- `services.vikunja.setupNginx` setting has been removed. Users now need to setup the webserver configuration on their own with a proxy pass to the vikunja service.
+- `services.vikunja.setupNginx` setting has been removed. Users now need to set up the webserver configuration on their own with a proxy pass to the vikunja service.
 
-- `services.vmagent` module deprecates `dataDir`, `group` and `user` setting in favor of systemd provided CacheDirectory and DynamicUser.
+- `services.vmagent` module deprecates `dataDir`, `group` and `user` settings in favor of the systemd-provided CacheDirectory and DynamicUser.
 
 - `services.vmagent.remoteWriteUrl` setting has been renamed to `services.vmagent.remoteWrite.url` and now defaults to `null`.
 
@@ -526,16 +537,16 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `system.forbiddenDependenciesRegex` has been renamed to `system.forbiddenDependenciesRegexes` and now has the type of `listOf string` instead of `string` to accept multiple regexes.
 
-- `systemd.oomd` module behavior is changed as:
+- `systemd.oomd` module behavior has changed:
 
   - Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like [this](https://pagure.io/fedora-workstation/issue/358).
     Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/806c95e1c70af18f81d499b24cd7acfa4c36ffd6?branch=806c95e1c70af18f81d499b24cd7acfa4c36ffd6).
 
   - Remove swap policy. This helps prevent killing processes when user's swap is small.
 
-  - Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/7665e1796f915dedbf8e014f0a78f4f576d609bb).
+  - Expand the memory pressure policy to `system.slice`, `user-.slice`, and all user-owned slices. Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/7665e1796f915dedbf8e014f0a78f4f576d609bb).
 
-  - `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`.
+  - Rename `systemd.oomd.enableUserServices` to `systemd.oomd.enableUserSlices`.
 
 - `systemd.sysusers.enable` option was added. If enabled, users and
   groups are created with systemd-sysusers instead of with a custom perl script.
@@ -552,8 +563,6 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `virtialisation.incus` now defaults to the newly-added `incus-lts` release (v6.0.x). Users who wish to continue using the non-LTS release will need to set `virtualisation.incus.package = pkgs.incus`. Stable release users are encouraged to stay on the LTS release as non-LTS releases will by default not be backported.
 
-- [watchdogd](https://troglobit.com/projects/watchdogd/), a system and process supervisor using watchdog timers. Available as [services.watchdogd](#opt-services.watchdogd.enable).
-
 - `woodpecker-*` packages have been updated to v2 which includes [breaking changes](https://woodpecker-ci.org/docs/next/migrations#200).
 
 - `wpaperd` has been updated to 1.0.1, which has a breaking change: previous version 0.3.0 had 2 different configuration files, one for wpaperd and one for the wallpapers. Remove the former and move the latter (`wallpaper.toml`) to `config.toml`.
@@ -566,11 +575,11 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `xxd` has been moved from `vim` default output to its own output to reduce closure size. The canonical way to reference it across all platforms is `unixtools.xxd`.
 
-- `youtrack` is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details.
+- `youtrack` was bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details.
 
 - Ada packages (libraries and tools) have been moved into the `gnatPackages` scope. `gnatPackages` uses the default GNAT compiler, `gnat12Packages` and `gnat13Packages` use the respective matching compiler version.
 
-- Paths provided as `restartTriggers` and `reloadTriggers` for systemd units will now be copied into the nix store to make the behavior consistent.
+- Paths provided as `restartTriggers` and `reloadTriggers` for systemd units will now be copied into the Nix store to make the behavior consistent.
   Previously, `restartTriggers = [ ./config.txt ]`, if defined in a flake, would trigger a restart when any part of the flake changed; and if not defined in a flake, would never trigger a restart even if the contents of `config.txt` changed.
 
 - A warning has been added for services that are
@@ -583,7 +592,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
   allows to restart multiple services that are ordered before sysinit.target
   and respect the ordering between the services.
 
-- The configuration format for `services.prometheus.exporters.snmp` changed with release 0.23.0.
+- `services.prometheus.exporters.snmp`'s configuration format changed with release 0.23.0.
   The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment.
   More information about the configuration syntax change is available in the [upstream repository](https://github.com/prometheus/snmp_exporter/blob/b75fc6b839ee3f3ccbee68bee55f1ae99555084a/auth-split-migration.md).
 
@@ -593,7 +602,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `addDriverRunpath` has been added to facilitate the deprecation of the old `addOpenGLRunpath` setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration.
 
-- `appimage`, `appimageTools.wrapAppImage` and `buildFHSEnvBubblewrap` now properly accepts `pname` and `version`.
+- `appimage`, `appimageTools.wrapAppImage` and `buildFHSEnvBubblewrap` now properly accept `pname` and `version`.
 
 - `bacula` now allows to configure `TLS` for encrypted communication.
 
@@ -608,18 +617,16 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 - `buildDubPackage` can now be used to build Programs written in [D](https://dlang.org/) using the `dub` build system and package manager.
   See the [D section](https://nixos.org/manual/nixpkgs/unstable#dlang) in the manual for more information.
 
-- `castopod` has some migration actions to be taken in case of a S3 setup. Some new features may also need some manual migration actions. See [https://code.castopod.org/adaures/castopod/-/releases](https://code.castopod.org/adaures/castopod/-/releases) for more informations.
+- `castopod` has some migration actions to be taken in case of a S3 setup. Some new features may also need some manual migration actions. See [https://code.castopod.org/adaures/castopod/-/releases](https://code.castopod.org/adaures/castopod/-/releases) for more information.
 
-- `cinnamon` has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions.
-
-- `documentation.man.mandoc` now by default uses `MANPATH` to set the directories where mandoc will search for manual pages.
+- `documentation.man.mandoc` now, by default, uses `MANPATH` to set the directories where mandoc will search for manual pages.
   This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via the `mandoc.conf` configuration file like before, use `documentation.man.mandoc.settings.manpath` instead.
 
 - `drbd` out-of-tree Linux kernel driver has been added in version 9.2.7. With it the DRBD 9.x features can be used instead of the 8.x features provided by the 8.4.11 in-tree driver.
 
 - `garage` has been updated to v1.x.x. Users should read the [upstream release notes](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.0) and follow the documentation when changing over their `services.garage.package` and performing this manual upgrade.
 
-- `hardware.pulseaudio` module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399).
+- `hardware.pulseaudio` module now sets permissions of pulse user home directory to 755 when running in systemWide mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399).
 
 - `kavita` has been updated to 0.8.0, requiring a manual forced library scan on all libraries for migration. Refer to upstream's [release notes](https://github.com/Kareadita/Kavita/releases/tag/v0.8.0) for details.
 
@@ -627,7 +634,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc.
 
-- `libjxl` version bumped from 0.8.2 to 0.9.1 [dropped support for the butteraugli API](https://github.com/libjxl/libjxl/pull/2576). You will no longer be able to set `enableButteraugli` on `libaom`.
+- `libjxl` version was bumped from 0.8.2 to 0.9.1 [dropped support for the butteraugli API](https://github.com/libjxl/libjxl/pull/2576). You will no longer be able to set `enableButteraugli` on `libaom`.
 
 - [`lilypond`](https://lilypond.org/index.html) and [`denemo`](https://www.denemo.org) are now compiled with Guile 3.0.
 
@@ -640,9 +647,9 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `mpich` now requires `withPm` to be a list, e.g. `"hydra:gforker"` becomes `[ "hydra" "gforker" ]`.
 
-- `nextcloud-setup.service` no longer changes the group of each file & directory inside `/var/lib/nextcloud/{config,data,store-apps}` if one of these directories has the wrong owner group. This was part of transitioning the group used for `/var/lib/nextcloud`, but isn't necessary anymore.
+- `nextcloud-setup.service` no longer changes the group of each file and directory inside `/var/lib/nextcloud/{config,data,store-apps}` if one of these directories has the wrong owner group. This was part of transitioning the group used for `/var/lib/nextcloud`, but isn't necessary anymore.
 
-- `oils-for-unix`, the oil shell's c++ version is now available. The python version is still available as `oil`.
+- `oils-for-unix`, the oil shell's C++ version is now available. The Python version is still available as `oil`.
 
 - `pkgsExtraHardening`, a new top-level package set, was added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).
 
@@ -663,7 +670,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `services.github-runner` module has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration.
 
-- `services.networkmanager.extraConfig` was renamed to `services.networkmanager.settings` and was changed to use the ini type instead of using a multiline string.
+- `services.networkmanager.extraConfig` was renamed to `services.networkmanager.settings` and changed to use the ini type instead of using a multiline string.
 
 - `services.nextcloud.config.dbport` option of the Nextcloud module was removed to match upstream.
   The port can be specified in [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost).
@@ -691,7 +698,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `services.paperless` module no longer uses the previously downloaded NLTK data stored in `/var/cache/paperless/nltk`. This directory can be removed.
 
-- `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list.
+- `services.postgresql.extraPlugins`' type has expanded. Previously it was a list of packages, now it can also be a function that returns such a list.
   For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``;
 
 - `services.slskd` has been refactored to include more configuation options in
@@ -711,7 +718,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 - `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module
   (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.
 
-- `sonarr` version bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089).
+- `sonarr` version was bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089).
 
 - `stdenv`: The `--replace` flag in `substitute`, `substituteInPlace`, `substituteAll`, `substituteAllStream`, and `substituteStream` is now deprecated if favor of the new `--replace-fail`, `--replace-warn` and `--replace-quiet`. The deprecated `--replace` equates to `--replace-warn`.
 
@@ -741,8 +748,8 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`.
 
-- New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).
-  The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.
+- `dnsdist` has new options to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).
+  The module can generate the DNSCrypt provider key pair and certificates, and also rotates them automatically with no downtime.
 
 - The kernel Yama LSM is now enabled by default, which prevents ptracing
   non-child processes. This means you will not be able to attach gdb to an

nixos/modules/config/nix-channel.nix

@@ -69,7 +69,7 @@ in
       defaultChannel = mkOption {
         internal = true;
         type = types.str;
-        default = "https://nixos.org/channels/nixos-unstable";
+        default = "https://nixos.org/channels/nixos-24.05";
         description = "Default NixOS channel to which the root user is subscribed.";
       };
     };

nixos/modules/config/no-x-libs.nix

@@ -54,10 +54,11 @@ with lib;
       intel-vaapi-driver = super.intel-vaapi-driver.override { enableGui = false; };
       libdevil = super.libdevil-nox;
       libextractor = super.libextractor.override { gtkSupport = false; };
+      libplacebo = super.libplacebo.override { vulkanSupport = false; };
       libva = super.libva-minimal;
       limesuite = super.limesuite.override { withGui = false; };
       mc = super.mc.override { x11Support = false; };
-      mpv-unwrapped = super.mpv-unwrapped.override { sdl2Support = false; x11Support = false; waylandSupport = false; };
+      mpv-unwrapped = super.mpv-unwrapped.override { drmSupport = false; screenSaverSupport = false; sdl2Support = false; vulkanSupport = false; waylandSupport = false; x11Support = false; };
       msmtp = super.msmtp.override { withKeyring = false; };
       mupdf = super.mupdf.override { enableGL = false; enableX11 = false; };
       neofetch = super.neofetch.override { x11Support = false; };

nixos/modules/installer/netboot/netboot.nix

@@ -39,7 +39,8 @@ with lib;
 
     # !!! Hack - attributes expected by other modules.
     environment.systemPackages = [ pkgs.grub2_efi ]
-      ++ (lib.optionals (pkgs.stdenv.hostPlatform.system != "aarch64-linux") [pkgs.grub2 pkgs.syslinux]);
+      ++ (lib.optionals (lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.syslinux)
+        [pkgs.grub2 pkgs.syslinux]);
 
     fileSystems."/" = mkImageMediaOverride
       { fsType = "tmpfs";

nixos/modules/misc/version.nix

@@ -31,6 +31,7 @@ let
       HOME_URL = optionalString isNixos "https://nixos.org/";
       DOCUMENTATION_URL = optionalString isNixos "https://nixos.org/learn.html";
       SUPPORT_URL = optionalString isNixos "https://nixos.org/community.html";
+      SUPPORT_END = "2024-12-31";
       BUG_REPORT_URL = optionalString isNixos "https://github.com/NixOS/nixpkgs/issues";
       ANSI_COLOR = optionalString isNixos "1;34";
       IMAGE_ID = optionalString (config.system.image.id != null) config.system.image.id;

nixos/modules/module-list.nix

@@ -218,6 +218,7 @@
   ./programs/kbdlight.nix
   ./programs/kclock.nix
   ./programs/kdeconnect.nix
+  ./programs/ladybird.nix
   ./programs/lazygit.nix
   ./programs/kubeswitch.nix
   ./programs/less.nix
@@ -293,6 +294,7 @@
   ./programs/virt-manager.nix
   ./programs/wavemon.nix
   ./programs/wayland/cardboard.nix
+  ./programs/wayland/hyprlock.nix
   ./programs/wayland/hyprland.nix
   ./programs/wayland/labwc.nix
   ./programs/wayland/river.nix
@@ -1325,6 +1327,7 @@
   ./services/video/unifi-video.nix
   ./services/video/v4l2-relayd.nix
   ./services/wayland/cage.nix
+  ./services/wayland/hypridle.nix
   ./services/web-apps/akkoma.nix
   ./services/web-apps/alps.nix
   ./services/web-apps/anuko-time-tracker.nix

nixos/modules/programs/coolercontrol.nix

@@ -48,9 +48,11 @@ in
 
     # Nvidia support
     (lib.mkIf cfg.nvidiaSupport {
-      systemd.services.coolercontrold.path = with config.boot.kernelPackages; [
-        nvidia_x11 # nvidia-smi
-        nvidia_x11.settings # nvidia-settings
+      systemd.services.coolercontrold.path = let
+        nvidiaPkg = config.hardware.nvidia.package;
+      in [
+        nvidiaPkg # nvidia-smi
+        nvidiaPkg.settings # nvidia-settings
       ];
     })
   ]);

nixos/modules/programs/ladybird.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.programs.ladybird;
+in {
+  options = {
+    programs.ladybird.enable = lib.mkEnableOption "the Ladybird web browser";
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.ladybird ];
+    fonts.fontDir.enable = true;
+  };
+}

nixos/modules/programs/steam.nix

@@ -53,6 +53,7 @@ in {
             then [ package ] ++ extraPackages
             else [ package32 ] ++ extraPackages32;
         in prevLibs ++ additionalLibs;
+        extraPkgs = p: (cfg.extraPackages ++ lib.optionals (prev ? extraPkgs) (prev.extraPkgs p));
       } // lib.optionalAttrs (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice)
       {
         buildFHSEnv = pkgs.buildFHSEnv.override {
@@ -69,6 +70,19 @@ in {
       '';
     };
 
+    extraPackages = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [ ];
+      example = lib.literalExpression ''
+        with pkgs; [
+          gamescope
+        ]
+      '';
+      description = ''
+        Additional packages to add to the Steam environment.
+      '';
+    };
+
     extraCompatPackages = lib.mkOption {
       type = lib.types.listOf lib.types.package;
       default = [ ];

nixos/modules/programs/wayland/hyprlock.nix

@@ -0,0 +1,25 @@
+{ lib, pkgs, config, ... }:
+
+let
+  cfg = config.programs.hyprlock;
+in
+{
+  options.programs.hyprlock = {
+    enable = lib.mkEnableOption "hyprlock, Hyprland's GPU-accelerated screen locking utility";
+    package = lib.mkPackageOption pkgs "hyprlock" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [
+      cfg.package
+    ];
+
+    # Hyprlock needs Hypridle systemd service to be running to detect idle time
+    services.hypridle.enable = true;
+
+    # Hyprlock needs PAM access to authenticate, else it fallbacks to su
+    security.pam.services.hyprlock = {};
+  };
+
+  meta.maintainers = with lib.maintainers; [ johnrtitor ];
+}

nixos/modules/services/audio/mopidy.nix

@@ -78,6 +78,7 @@ in {
     systemd.services.mopidy = {
       wantedBy = [ "multi-user.target" ];
       after = [ "network-online.target" "sound.target" ];
+      wants = [ "network-online.target" ];
       description = "mopidy music player daemon";
       serviceConfig = {
         ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}";

nixos/modules/services/backup/borgbackup.nix

@@ -361,7 +361,7 @@ in {
             type = types.bool;
             example = true;
             description = ''
-              Set the `persistentTimer` option for the
+              Set the `Persistent` option for the
               {manpage}`systemd.timer(5)`
               which triggers the backup immediately if the last trigger
               was missed (e.g. if the system was powered down).

nixos/modules/services/continuous-integration/hydra/default.nix

@@ -335,7 +335,7 @@ in
           mkdir -m 0700 -p ${baseDir}/queue-runner
           mkdir -m 0750 -p ${baseDir}/build-logs
           mkdir -m 0750 -p ${baseDir}/runcommand-logs
-          chown hydra-queue-runner.hydra \
+          chown hydra-queue-runner:hydra \
             ${baseDir}/queue-runner \
             ${baseDir}/build-logs \
             ${baseDir}/runcommand-logs

nixos/modules/services/desktop-managers/lomiri.nix

@@ -34,7 +34,7 @@ in {
         morph-browser
         qtmir # not having its desktop file for Xwayland available causes any X11 application to crash the session
         suru-icon-theme
-        telephony-service
+        # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
       ]);
     };
 
@@ -75,7 +75,7 @@ in {
         ayatana-indicator-power
         ayatana-indicator-session
       ]) ++ (with pkgs.lomiri; [
-        telephony-service
+        # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
       ] ++ lib.optionals config.networking.networkmanager.enable [
         lomiri-indicator-network
       ]);

nixos/modules/services/hardware/kanata.nix

@@ -7,7 +7,7 @@ let
 
   upstreamDoc = "See [the upstream documentation](https://github.com/jtroo/kanata/blob/main/docs/config.adoc) and [example config files](https://github.com/jtroo/kanata/tree/main/cfg_samples) for more information.";
 
-  keyboard = {
+  keyboard = { name, config, ... }: {
     options = {
       devices = mkOption {
         type = types.listOf types.str;
@@ -48,6 +48,21 @@ let
           ${upstreamDoc}
         '';
       };
+      configFile = mkOption {
+        type = types.path;
+        default = mkConfig name config;
+        defaultText =
+          "A config file generated by values from other kanata module options.";
+        description = ''
+          The config file.
+
+          By default, it is generated by values from other kanata
+          module options.
+
+          You can also set it to your own full config file which
+          overrides all other kanata module options.  ${upstreamDoc}
+        '';
+      };
       extraArgs = mkOption {
         type = types.listOf types.str;
         default = [ ];
@@ -85,6 +100,10 @@ let
 
       ${keyboard.config}
     '';
+    # Only the config file generated by this module is checked.  A
+    # user-provided one is not checked because it may not be available
+    # at build time.  I think this is a good balance between module
+    # complexity and functionality.
     checkPhase = ''
       ${getExe cfg.package} --cfg "$target" --check --debug
     '';
@@ -96,7 +115,7 @@ let
       Type = "notify";
       ExecStart = ''
         ${getExe cfg.package} \
-          --cfg ${mkConfig name keyboard} \
+          --cfg ${keyboard.configFile} \
           --symlink-path ''${RUNTIME_DIRECTORY}/${name} \
           ${optionalString (keyboard.port != null) "--port ${toString keyboard.port}"} \
           ${utils.escapeSystemdExecArgs keyboard.extraArgs}

nixos/modules/services/hardware/nvidia-container-toolkit/default.nix

@@ -69,14 +69,18 @@
     virtualisation.docker.daemon.settings = lib.mkIf
       (config.hardware.nvidia-container-toolkit.enable &&
        (lib.versionAtLeast config.virtualisation.docker.package.version "25")) {
-      features.cdi = true;
-    };
+         features.cdi = true;
+       };
 
     hardware.nvidia-container-toolkit.mounts = let
       nvidia-driver = config.hardware.nvidia.package;
     in (lib.mkMerge [
       [{ hostPath = pkgs.addDriverRunpath.driverLink;
          containerPath = pkgs.addDriverRunpath.driverLink; }
+       { hostPath = "${lib.getLib nvidia-driver}/etc";
+         containerPath = "${lib.getLib nvidia-driver}/etc"; }
+       { hostPath = "${lib.getLib nvidia-driver}/share";
+         containerPath = "${lib.getLib nvidia-driver}/share"; }
        { hostPath = "${lib.getLib pkgs.glibc}/lib";
          containerPath = "${lib.getLib pkgs.glibc}/lib"; }
        { hostPath = "${lib.getLib pkgs.glibc}/lib64";

nixos/modules/services/home-automation/wyoming/faster-whisper.nix

@@ -113,6 +113,9 @@ in
       nameValuePair "wyoming-faster-whisper-${server}" {
         inherit (options) enable;
         description = "Wyoming faster-whisper server instance ${server}";
+        wants = [
+          "network-online.target"
+        ];
         after = [
           "network-online.target"
         ];

nixos/modules/services/home-automation/wyoming/openwakeword.nix

@@ -108,6 +108,9 @@ in
   config = mkIf cfg.enable {
     systemd.services."wyoming-openwakeword" = {
       description = "Wyoming openWakeWord server";
+      wants = [
+        "network-online.target"
+      ];
       after = [
         "network-online.target"
       ];

nixos/modules/services/home-automation/wyoming/piper.nix

@@ -117,6 +117,9 @@ in
       nameValuePair "wyoming-piper-${server}" {
         inherit (options) enable;
         description = "Wyoming Piper server instance ${server}";
+        wants = [
+          "network-online.target"
+        ];
         after = [
           "network-online.target"
         ];

nixos/modules/services/mail/stalwart-mail.nix

@@ -70,7 +70,9 @@ in {
       storage.lookup = mkDefault "db";
       storage.blob = mkDefault "blob";
       resolver.type = mkDefault "system";
-      resolver.public-suffix = mkDefault ["https://publicsuffix.org/list/public_suffix_list.dat"];
+      resolver.public-suffix = lib.mkDefault [
+        "file://${pkgs.publicsuffix-list}/share/publicsuffix/public_suffix_list.dat"
+      ];
     };
 
     systemd.services.stalwart-mail = {

nixos/modules/services/misc/devpi-server.nix

@@ -74,8 +74,9 @@ in
       # have 0600 permissions.
       preStart =
         ''
-          cp ${cfg.secretFile} ${runtimeDir}/${secretsFileName}
-          chmod 0600 ${runtimeDir}/*${secretsFileName}
+          ${optionalString (!isNull cfg.secretFile)
+            "install -Dm 0600 \${CREDENTIALS_DIRECTORY}/devpi-secret ${runtimeDir}/${secretsFileName}"
+          }
 
           if [ -f ${serverDir}/.nodeinfo ]; then
             # already initialized the package index, exit gracefully
@@ -85,6 +86,9 @@ in
         + strings.optionalString cfg.replica "--role=replica --master-url=${cfg.primaryUrl}";
 
       serviceConfig = {
+        LoadCredential = lib.mkIf (! isNull cfg.secretFile) [
+          "devpi-secret:${cfg.secretFile}"
+        ];
         Restart = "always";
         ExecStart =
           let

nixos/modules/services/misc/gitea.nix

@@ -722,5 +722,5 @@ in
       timerConfig.OnCalendar = cfg.dump.interval;
     };
   };
-  meta.maintainers = with lib.maintainers; [ srhb ma27 pyrox0 ];
+  meta.maintainers = with lib.maintainers; [ ma27 techknowlogick SuperSandro2000 ];
 }

nixos/modules/services/misc/portunus.nix

@@ -98,6 +98,10 @@ in
 
           The OIDC secret must be set as the `DEX_CLIENT_''${id}` environment variable
           in the [](#opt-services.dex.environmentFile) setting.
+
+          ::: {.note}
+          Make sure the id only contains characters that are allowed in an environment variable name, e.g. no -.
+          :::
         '';
       };
 

nixos/modules/services/misc/snapper.nix

@@ -108,7 +108,7 @@ in
       type = types.bool;
       example = true;
       description = ''
-        Set the `persistentTimer` option for the
+        Set the `Persistent` option for the
         {manpage}`systemd.timer(5)`
         which triggers the snapshot immediately if the last trigger
         was missed (e.g. if the system was powered down).

nixos/modules/services/networking/frr.nix

@@ -23,10 +23,9 @@ let
     "pbr"
     "bfd"
     "fabric"
-    "mgmt"
   ];
 
-  allServices = services ++ [ "zebra" ];
+  allServices = services ++ [ "zebra" "mgmt" ];
 
   isEnabled = service: cfg.${service}.enable;
 
@@ -137,6 +136,20 @@ in
             '';
           };
         };
+        mgmt = (serviceOptions "mgmt") // {
+          enable = mkOption {
+            type = types.bool;
+            default = isEnabled "static";
+            defaultText = lib.literalExpression "config.services.frr.static.enable";
+            description = ''
+              Whether to enable the Configuration management daemon.
+
+              The Configuration management daemon is automatically
+              enabled if needed, at the moment this is when staticd
+              is enabled.
+            '';
+          };
+        };
       };
     }
     { options.services.frr = (genAttrs services serviceOptions); }
@@ -164,7 +177,7 @@ in
 
     environment.etc = let
       mkEtcLink = service: {
-        name = "frr/${service}.conf";
+        name = "frr/${daemonName service}.conf";
         value.source = configFile service;
       };
     in
@@ -196,18 +209,18 @@ in
               unitConfig.Documentation = if service == "zebra" then "man:zebra(8)"
                 else "man:${daemon}(8) man:zebra(8)";
 
-              restartTriggers = [
+              restartTriggers = mkIf (service != "mgmt") [
                 (configFile service)
               ];
-              reloadIfChanged = true;
+              reloadIfChanged = (service != "mgmt");
 
               serviceConfig = {
                 PIDFile = "frr/${daemon}.pid";
-                ExecStart = "${pkgs.frr}/libexec/frr/${daemon} -f /etc/frr/${service}.conf"
+                ExecStart = "${pkgs.frr}/libexec/frr/${daemon}"
                   + optionalString (scfg.vtyListenAddress != "") " -A ${scfg.vtyListenAddress}"
                   + optionalString (scfg.vtyListenPort != null) " -P ${toString scfg.vtyListenPort}"
                   + " " + (concatStringsSep " " scfg.extraOptions);
-                ExecReload = "${pkgs.python3.interpreter} ${pkgs.frr}/libexec/frr/frr-reload.py --reload --daemon ${daemonName service} --bindir ${pkgs.frr}/bin --rundir /run/frr /etc/frr/${service}.conf";
+                ExecReload = mkIf (service != "mgmt") "${pkgs.python3.interpreter} ${pkgs.frr}/libexec/frr/frr-reload.py --reload --daemon ${daemon} --bindir ${pkgs.frr}/bin --rundir /run/frr /etc/frr/${daemon}.conf";
                 Restart = "on-abnormal";
               };
             });

nixos/modules/services/networking/kea.nix

@@ -278,6 +278,9 @@ in
         "https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html"
       ];
 
+      wants = [
+        "network-online.target"
+      ];
       after = [
         "network-online.target"
         "time-sync.target"

nixos/modules/services/security/bitwarden-directory-connector-cli.nix

@@ -260,6 +260,7 @@ in {
         description = "Sync timer for Bitwarden Directory Connector";
         wantedBy = ["timers.target"];
         after = ["network-online.target"];
+        wants = ["network-online.target"];
         timerConfig = {
           OnCalendar = cfg.interval;
           Unit = "bitwarden-directory-connector-cli.service";

nixos/modules/services/security/oauth2-proxy-nginx.nix

@@ -83,6 +83,15 @@ in
   } ++ (lib.mapAttrsToList (vhost: conf: {
     virtualHosts.${vhost} = {
       locations = {
+        "/".extraConfig = ''
+          # pass information via X-User and X-Email headers to backend, requires running with --set-xauthrequest flag
+          proxy_set_header X-User  $user;
+          proxy_set_header X-Email $email;
+
+          # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+          add_header Set-Cookie $auth_cookie;
+        '';
+
         "/oauth2/auth" = let
           maybeQueryArg = name: value:
             if value == null then null
@@ -102,6 +111,7 @@ in
             proxy_pass_request_body           off;
           '';
         };
+
         "@redirectToAuth2ProxyLogin" = {
           return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
           extraConfig = ''
@@ -114,16 +124,10 @@ in
         auth_request /oauth2/auth;
         error_page 401 = @redirectToAuth2ProxyLogin;
 
-        # pass information via X-User and X-Email headers to backend,
-        # requires running with --set-xauthrequest flag
+        # set variables being used in locations."/".extraConfig
         auth_request_set $user   $upstream_http_x_auth_request_user;
         auth_request_set $email  $upstream_http_x_auth_request_email;
-        proxy_set_header X-User  $user;
-        proxy_set_header X-Email $email;
-
-        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
         auth_request_set $auth_cookie $upstream_http_set_cookie;
-        add_header Set-Cookie $auth_cookie;
       '';
     };
   }) cfg.virtualHosts)));

nixos/modules/services/video/frigate.nix

@@ -427,10 +427,6 @@ in
         PrivateTmp = true;
         CacheDirectory = "frigate";
         CacheDirectoryMode = "0750";
-
-        BindPaths = [
-          "/migrations:${cfg.package}/share/frigate/migrations:ro"
-        ];
       };
     };
   };

nixos/modules/services/wayland/hypridle.nix

@@ -0,0 +1,26 @@
+{ lib, pkgs, config, ... }:
+
+let
+  cfg = config.services.hypridle;
+in
+{
+  options.services.hypridle = {
+    enable = lib.mkEnableOption "hypridle, Hyprland's idle daemon";
+    package = lib.mkPackageOption pkgs "hypridle" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [
+      cfg.package
+    ];
+
+    systemd.user.services.hypridle = {
+      description = "Hypridle idle daemon";
+      wantedBy = [ "graphical-session.target" ];
+      partOf = [ "graphical-session.target" ];
+      script = lib.getExe cfg.package;
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ johnrtitor ];
+}

nixos/modules/services/web-apps/firefly-iii.nix

@@ -3,8 +3,8 @@
 let
   inherit (lib) optionalString mkDefault mkIf mkOption mkEnableOption literalExpression;
   inherit (lib.types) nullOr attrsOf oneOf str int bool path package enum submodule;
-  inherit (lib.strings) concatMapStringsSep removePrefix toShellVars removeSuffix hasSuffix;
-  inherit (lib.attrsets) attrValues genAttrs filterAttrs mapAttrs' nameValuePair;
+  inherit (lib.strings) concatLines removePrefix toShellVars removeSuffix hasSuffix;
+  inherit (lib.attrsets) mapAttrsToList attrValues genAttrs filterAttrs mapAttrs' nameValuePair;
   inherit (builtins) isInt isString toString typeOf;
 
   cfg = config.services.firefly-iii;
@@ -21,18 +21,10 @@ let
     (filterAttrs (n: v: hasSuffix "_FILE" n) cfg.settings);
   env-nonfile-values = filterAttrs (n: v: ! hasSuffix "_FILE" n) cfg.settings;
 
-  envfile = pkgs.writeText "firefly-iii-env" ''
-    ${toShellVars env-file-values}
-    ${toShellVars env-nonfile-values}
-  '';
-
   fileenv-func = ''
-    cp --no-preserve=mode ${envfile} /tmp/firefly-iii-env
-    ${concatMapStringsSep "\n"
-      (n: "${pkgs.replace-secret}/bin/replace-secret ${n} ${n} /tmp/firefly-iii-env")
-      (attrValues env-file-values)}
     set -a
-    . /tmp/firefly-iii-env
+    ${toShellVars env-nonfile-values}
+    ${concatLines (mapAttrsToList (n: v: "${n}=\"$(< ${v})\"") env-file-values)}
     set +a
   '';
 
@@ -41,15 +33,13 @@ let
 
     ${optionalString (cfg.settings.DB_CONNECTION == "sqlite")
       "touch ${cfg.dataDir}/storage/database/database.sqlite"}
-    ${artisan} migrate --seed --no-interaction --force
-    ${artisan} firefly-iii:decrypt-all
+    ${artisan} package:discover
     ${artisan} firefly-iii:upgrade-database
-    ${artisan} firefly-iii:correct-database
-    ${artisan} firefly-iii:report-integrity
     ${artisan} firefly-iii:laravel-passport-keys
     ${artisan} cache:clear
-
-    mv /tmp/firefly-iii-env /run/phpfpm/firefly-iii-env
+    ${artisan} view:cache
+    ${artisan} route:cache
+    ${artisan} config:cache
   '';
 
   commonServiceConfig = {
@@ -146,6 +136,7 @@ in {
 
     virtualHost = mkOption {
       type = str;
+      default = "localhost";
       description = ''
         The hostname at which you wish firefly-iii to be served. If you have
         enabled nginx using `services.firefly-iii.enableNginx` then this will
@@ -170,14 +161,15 @@ in {
     };
 
     settings = mkOption {
+      default = {};
       description = ''
         Options for firefly-iii configuration. Refer to
         <https://github.com/firefly-iii/firefly-iii/blob/main/.env.example> for
         details on supported values. All <option>_FILE values supported by
         upstream are supported here.
 
-        APP_URL will be set by `services.firefly-iii.virtualHost`, do not
-        redefine it here.
+        APP_URL will be the same as `services.firefly-iii.virtualHost` if the
+        former is unset in `services.firefly-iii.settings`.
       '';
       example = literalExpression ''
         {
@@ -192,7 +184,6 @@ in {
           DB_PASSWORD_FILE = "/var/secrets/firefly-iii-mysql-password.txt;
         }
       '';
-      default = {};
       type = submodule {
         freeformType = attrsOf (oneOf [str int bool]);
         options = {
@@ -216,9 +207,9 @@ in {
           };
           DB_PORT = mkOption {
             type = nullOr int;
-            default = if cfg.settings.DB_CONNECTION == "sqlite" then null
+            default = if cfg.settings.DB_CONNECTION == "pgsql" then 5432
                       else if cfg.settings.DB_CONNECTION == "mysql" then 3306
-                      else 5432;
+                      else null;
             defaultText = ''
               `null` if DB_CONNECTION is "sqlite", `3306` if "mysql", `5432` if "pgsql"
             '';
@@ -227,6 +218,21 @@ in {
               this value to be filled.
             '';
           };
+          DB_HOST = mkOption {
+            type = str;
+            default = if cfg.settings.DB_CONNECTION == "pgsql" then "/run/postgresql"
+                      else "localhost";
+            defaultText = ''
+              "localhost" if DB_CONNECTION is "sqlite" or "mysql", "/run/postgresql" if "pgsql".
+            '';
+            description = ''
+              The machine which hosts your database. This is left at the
+              default value for "mysql" because we use the "DB_SOCKET" option
+              to connect to a unix socket instead. "pgsql" requires that the
+              unix socket location be specified here instead of at "DB_SOCKET".
+              This option does not affect "sqlite".
+            '';
+          };
           APP_KEY_FILE = mkOption {
             type = path;
             description = ''
@@ -235,6 +241,20 @@ in {
               /dev/urandom | base64)" > /path/to/key-file`.
             '';
           };
+          APP_URL = mkOption {
+            type = str;
+            default = if cfg.virtualHost == "localhost" then "http://${cfg.virtualHost}"
+                      else "https://${cfg.virtualHost}";
+            defaultText = ''
+              http(s)://''${config.services.firefly-iii.virtualHost}
+            '';
+            description = ''
+              The APP_URL used by firefly-iii internally. Please make sure this
+              URL matches the external URL of your Firefly III installation. It
+              is used to validate specific requests and to generate URLs in
+              emails.
+            '';
+          };
         };
       };
     };
@@ -242,12 +262,6 @@ in {
 
   config = mkIf cfg.enable {
 
-    services.firefly-iii = {
-      settings = {
-        APP_URL = cfg.virtualHost;
-      };
-    };
-
     services.phpfpm.pools.firefly-iii = {
       inherit user group;
       phpPackage = cfg.package.phpPackage;
@@ -262,29 +276,27 @@ in {
       } // cfg.poolConfig;
     };
 
-    systemd.services.phpfpm-firefly-iii.serviceConfig = {
-      EnvironmentFile = "/run/phpfpm/firefly-iii-env";
-      ExecStartPost = "${pkgs.coreutils}/bin/rm /run/phpfpm/firefly-iii-env";
-    };
-
     systemd.services.firefly-iii-setup = {
+      after = [ "postgresql.service" "mysql.service" ];
       requiredBy = [ "phpfpm-firefly-iii.service" ];
       before = [ "phpfpm-firefly-iii.service" ];
       serviceConfig = {
         ExecStart = firefly-iii-maintenance;
         RuntimeDirectory = "phpfpm";
         RuntimeDirectoryPreserve = true;
+        RemainAfterExit = true;
       } // commonServiceConfig;
       unitConfig.JoinsNamespaceOf = "phpfpm-firefly-iii.service";
+      restartTriggers = [ cfg.package ];
     };
 
     systemd.services.firefly-iii-cron = {
+      after = [ "firefly-iii-setup.service" "postgresql.service" "mysql.service" ];
+      wants = [ "firefly-iii-setup.service" ];
       description = "Daily Firefly III cron job";
-      script = ''
-        ${fileenv-func}
-        ${artisan} firefly-iii:cron
-      '';
-      serviceConfig = commonServiceConfig;
+      serviceConfig = {
+        ExecStart = "${artisan} firefly-iii:cron";
+      } // commonServiceConfig;
     };
 
     systemd.timers.firefly-iii-cron = {
@@ -295,6 +307,7 @@ in {
         Persistent = true;
       };
       wantedBy = [ "timers.target" ];
+      restartTriggers = [ cfg.package ];
     };
 
     services.nginx = mkIf cfg.enableNginx {

nixos/release.nix

@@ -12,7 +12,7 @@ let
 
   version = fileContents ../.version;
   versionSuffix =
-    (if stableBranch then "." else "pre") + "${toString nixpkgs.revCount}.${nixpkgs.shortRev}";
+    (if stableBranch then "." else "beta") + "${toString (nixpkgs.revCount - 630170)}.${nixpkgs.shortRev}";
 
   # Run the tests for each platform.  You can run a test by doing
   # e.g. ‘nix-build release.nix -A tests.login.x86_64-linux’,

nixos/tests/ayatana-indicators.nix

@@ -33,7 +33,7 @@ in {
         ayatana-indicator-session
       ] ++ (with pkgs.lomiri; [
         lomiri-indicator-network
-        telephony-service
+        # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
       ]);
     };
 

nixos/tests/domination.nix

@@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
     ];
 
     services.xserver.enable = true;
+    sound.enable = true;
     environment.systemPackages = [ pkgs.domination ];
   };
 
@@ -18,6 +19,9 @@ import ./make-test-python.nix ({ pkgs, ... }: {
   testScript =
     ''
       machine.wait_for_x()
+      # Add a dummy sound card, or an error reporting popup will appear,
+      # covering the main window and preventing OCR
+      machine.execute("modprobe snd-dummy")
       machine.execute("domination >&2 &")
       machine.wait_for_window("Menu")
       machine.wait_for_text(r"(New Game|Start Server|Load Game|Help Manual|Join Game|About|Play Online)")

nixos/tests/firefly-iii.nix

@@ -1,14 +1,19 @@
-import ./make-test-python.nix ({ lib, pkgs, ... }: {
+import ./make-test-python.nix ({ lib, ... }:
+
+let
+  db-pass = "Test2Test2";
+  app-key = "TestTestTestTestTestTestTestTest";
+in
+{
   name = "firefly-iii";
   meta.maintainers = [ lib.maintainers.savyajha ];
 
-  nodes.machine = { config, ... }: {
+  nodes.fireflySqlite = { config, ... }: {
     environment.etc = {
-      "firefly-iii-appkey".text = "TestTestTestTestTestTestTestTest";
+      "firefly-iii-appkey".text = app-key;
     };
     services.firefly-iii = {
       enable = true;
-      virtualHost = "http://localhost";
       enableNginx = true;
       settings = {
         APP_KEY_FILE = "/etc/firefly-iii-appkey";
@@ -18,9 +23,87 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
     };
   };
 
+  nodes.fireflyPostgresql = { config, pkgs, ... }: {
+    environment.etc = {
+      "firefly-iii-appkey".text = app-key;
+      "postgres-pass".text = db-pass;
+    };
+    services.firefly-iii = {
+      enable = true;
+      enableNginx = true;
+      settings = {
+        APP_KEY_FILE = "/etc/firefly-iii-appkey";
+        LOG_CHANNEL = "stdout";
+        SITE_OWNER = "mail@example.com";
+        DB_CONNECTION = "pgsql";
+        DB_DATABASE = "firefly";
+        DB_USERNAME = "firefly";
+        DB_PASSWORD_FILE = "/etc/postgres-pass";
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+      package = pkgs.postgresql_15;
+      authentication = ''
+        local all postgres peer
+        local firefly firefly password
+      '';
+      initialScript = pkgs.writeText "firefly-init.sql" ''
+        CREATE USER "firefly" WITH LOGIN PASSWORD '${db-pass}';
+        CREATE DATABASE "firefly" WITH OWNER "firefly";
+        CREATE SCHEMA AUTHORIZATION firefly;
+      '';
+    };
+  };
+
+  nodes.fireflyMysql = { config, pkgs, ... }: {
+    environment.etc = {
+      "firefly-iii-appkey".text = app-key;
+      "mysql-pass".text = db-pass;
+    };
+    services.firefly-iii = {
+      enable = true;
+      enableNginx = true;
+      settings = {
+        APP_KEY_FILE = "/etc/firefly-iii-appkey";
+        LOG_CHANNEL = "stdout";
+        SITE_OWNER = "mail@example.com";
+        DB_CONNECTION = "mysql";
+        DB_DATABASE = "firefly";
+        DB_USERNAME = "firefly";
+        DB_PASSWORD_FILE = "/etc/mysql-pass";
+        DB_SOCKET = "/run/mysqld/mysqld.sock";
+      };
+    };
+
+    services.mysql = {
+      enable = true;
+      package = pkgs.mariadb;
+      initialScript = pkgs.writeText "firefly-init.sql" ''
+        create database firefly DEFAULT CHARACTER SET utf8mb4;
+        create user 'firefly'@'localhost' identified by '${db-pass}';
+        grant all on firefly.* to 'firefly'@'localhost';
+      '';
+      settings.mysqld.character-set-server = "utf8mb4";
+    };
+  };
+
   testScript = ''
-    machine.wait_for_unit("phpfpm-firefly-iii.service")
-    machine.wait_for_unit("nginx.service")
-    machine.succeed("curl -fvvv -Ls http://localhost/ | grep 'Firefly III'")
+    fireflySqlite.wait_for_unit("phpfpm-firefly-iii.service")
+    fireflySqlite.wait_for_unit("nginx.service")
+    fireflySqlite.succeed("curl -fvvv -Ls http://localhost/ | grep 'Firefly III'")
+    fireflySqlite.succeed("curl -fvvv -Ls http://localhost/v1/js/app.js")
+    fireflySqlite.succeed("systemctl start firefly-iii-cron.service")
+    fireflyPostgresql.wait_for_unit("phpfpm-firefly-iii.service")
+    fireflyPostgresql.wait_for_unit("nginx.service")
+    fireflyPostgresql.wait_for_unit("postgresql.service")
+    fireflyPostgresql.succeed("curl -fvvv -Ls http://localhost/ | grep 'Firefly III'")
+    fireflyPostgresql.succeed("systemctl start firefly-iii-cron.service")
+    fireflyMysql.wait_for_unit("phpfpm-firefly-iii.service")
+    fireflyMysql.wait_for_unit("nginx.service")
+    fireflyMysql.wait_for_unit("mysql.service")
+    fireflyMysql.succeed("curl -fvvv -Ls http://localhost/ | grep 'Firefly III'")
+    fireflyMysql.succeed("systemctl start firefly-iii-cron.service")
   '';
 })

nixos/tests/gnome-extensions.nix

@@ -84,7 +84,6 @@ import ./make-test-python.nix (
       "dash-to-dock"
       "dash-to-panel"
       "ddterm"
-      "emoji-selector"
       "gsconnect"
       "system-monitor-next"
       "desktop-icons-ng-ding"
@@ -138,11 +137,11 @@ import ./make-test-python.nix (
             # Enable and optionally disable
 
             machine.succeed(f"${run "gnome-extensions enable {extension}"}")
-            checkState("ENABLED", extension)
+            checkState("ACTIVE", extension)
 
             if disable:
                 machine.succeed(f"${run "gnome-extensions disable {extension}"}")
-                checkState("DISABLED", extension)
+                checkState("INACTIVE", extension)
     ''
     + lib.concatLines (map (e: ''checkExtension("${e}", False)'') alwaysOnExtensions)
     + lib.concatLines (map (e: ''checkExtension("${e}", True)'') testExtensions)

nixos/tests/stalwart-mail.nix

@@ -1,122 +1,147 @@
 # Rudimentary test checking that the Stalwart email server can:
 # - receive some message through SMTP submission, then
 # - serve this message through IMAP.
+{
+  system ? builtins.currentSystem,
+  config ? { },
+  pkgs ? import ../../.. { inherit system config; },
 
+  lib ? pkgs.lib,
+}:
 let
   certs = import ./common/acme/server/snakeoil-certs.nix;
   domain = certs.domain;
+  makeTest = import ./make-test-python.nix;
+  mkTestName =
+    pkg: "${pkg.pname}_${pkg.version}";
+  stalwartPackages = {
+    inherit (pkgs) stalwart-mail_0_6 stalwart-mail;
+  };
+  stalwartAtLeast = lib.versionAtLeast;
+  makeStalwartTest =
+    {
+      package,
+      name ? mkTestName package,
+    }:
+    makeTest {
+      inherit name;
+      meta.maintainers = with lib.maintainers; [
+        happysalada pacien onny
+      ];
 
-in import ./make-test-python.nix ({ lib, ... }: {
-  name = "stalwart-mail";
+      nodes.machine = { lib, ... }: {
 
-  nodes.main = { pkgs, ... }: {
-    security.pki.certificateFiles = [ certs.ca.cert ];
+        security.pki.certificateFiles = [ certs.ca.cert ];
 
-    services.stalwart-mail = {
-      enable = true;
-      settings = {
-        server.hostname = domain;
-
-        certificate."snakeoil" = {
-          cert = "file://${certs.${domain}.cert}";
-          private-key = "file://${certs.${domain}.key}";
-        };
-
-        server.tls = {
-          certificate = "snakeoil";
+        services.stalwart-mail = {
           enable = true;
-          implicit = false;
-        };
+          inherit package;
+          settings = {
+            server.hostname = domain;
 
-        server.listener = {
-          "smtp-submission" = {
-            bind = [ "[::]:587" ];
-            protocol = "smtp";
-          };
+            # TODO: Remove backwards compatibility as soon as we drop legacy version 0.6.0
+            certificate."snakeoil" = let
+              certPath = if stalwartAtLeast package.version "0.7.0" then "%{file://${certs.${domain}.cert}}%" else "file://${certs.${domain}.cert}";
+              keyPath = if stalwartAtLeast package.version "0.7.0" then "%{file:${certs.${domain}.key}}%" else "file://${certs.${domain}.key}";
+            in {
+              cert = certPath;
+              private-key = keyPath;
+            };
 
-          "imap" = {
-            bind = [ "[::]:143" ];
-            protocol = "imap";
+            server.tls = {
+              certificate = "snakeoil";
+              enable = true;
+              implicit = false;
+            };
+
+            server.listener = {
+              "smtp-submission" = {
+                bind = [ "[::]:587" ];
+                protocol = "smtp";
+              };
+
+              "imap" = {
+                bind = [ "[::]:143" ];
+                protocol = "imap";
+              };
+            };
+
+            session.auth.mechanisms = "[plain]";
+            session.auth.directory = "'in-memory'";
+            storage.directory = "in-memory";
+
+            session.rcpt.directory = "'in-memory'";
+            queue.outbound.next-hop = "'local'";
+
+            directory."in-memory" = {
+              type = "memory";
+              # TODO: Remove backwards compatibility as soon as we drop legacy version 0.6.0
+              principals = let
+                condition = if stalwartAtLeast package.version "0.7.0" then "class" else "type";
+              in builtins.map (p: p // { ${condition} = "individual"; }) [
+                {
+                  name = "alice";
+                  secret = "foobar";
+                  email = [ "alice@${domain}" ];
+                }
+                {
+                  name = "bob";
+                  secret = "foobar";
+                  email = [ "bob@${domain}" ];
+                }
+              ];
+            };
           };
         };
 
-        resolver.public-suffix = [ ];  # do not fetch from web in sandbox
+        environment.systemPackages = [
+          (pkgs.writers.writePython3Bin "test-smtp-submission" { } ''
+            from smtplib import SMTP
 
-        session.auth.mechanisms = "[plain]";
-        session.auth.directory = "'in-memory'";
-        storage.directory = "in-memory";
+            with SMTP('localhost', 587) as smtp:
+                smtp.starttls()
+                smtp.login('alice', 'foobar')
+                smtp.sendmail(
+                    'alice@${domain}',
+                    'bob@${domain}',
+                    """
+                        From: alice@${domain}
+                        To: bob@${domain}
+                        Subject: Some test message
 
-        session.rcpt.directory = "'in-memory'";
-        queue.outbound.next-hop = "'local'";
+                        This is a test message.
+                    """.strip()
+                )
+          '')
+
+          (pkgs.writers.writePython3Bin "test-imap-read" { } ''
+            from imaplib import IMAP4
+
+            with IMAP4('localhost') as imap:
+                imap.starttls()
+                status, [caps] = imap.login('bob', 'foobar')
+                assert status == 'OK'
+                imap.select()
+                status, [ref] = imap.search(None, 'ALL')
+                assert status == 'OK'
+                [msgId] = ref.split()
+                status, msg = imap.fetch(msgId, 'BODY[TEXT]')
+                assert status == 'OK'
+                assert msg[0][1].strip() == b'This is a test message.'
+          '')
+        ];
 
-        directory."in-memory" = {
-          type = "memory";
-          principals = [
-            {
-              type = "individual";
-              name = "alice";
-              secret = "foobar";
-              email = [ "alice@${domain}" ];
-            }
-            {
-              type = "individual";
-              name = "bob";
-              secret = "foobar";
-              email = [ "bob@${domain}" ];
-            }
-          ];
-        };
       };
+
+      testScript = ''
+        start_all()
+        machine.wait_for_unit("stalwart-mail.service")
+        machine.wait_for_open_port(587)
+        machine.wait_for_open_port(143)
+
+        machine.succeed("test-smtp-submission")
+        machine.succeed("test-imap-read")
+      '';
     };
-
-    environment.systemPackages = [
-      (pkgs.writers.writePython3Bin "test-smtp-submission" { } ''
-        from smtplib import SMTP
-
-        with SMTP('localhost', 587) as smtp:
-            smtp.starttls()
-            smtp.login('alice', 'foobar')
-            smtp.sendmail(
-                'alice@${domain}',
-                'bob@${domain}',
-                """
-                    From: alice@${domain}
-                    To: bob@${domain}
-                    Subject: Some test message
-
-                    This is a test message.
-                """.strip()
-            )
-      '')
-
-      (pkgs.writers.writePython3Bin "test-imap-read" { } ''
-        from imaplib import IMAP4
-
-        with IMAP4('localhost') as imap:
-            imap.starttls()
-            status, [caps] = imap.login('bob', 'foobar')
-            assert status == 'OK'
-            imap.select()
-            status, [ref] = imap.search(None, 'ALL')
-            assert status == 'OK'
-            [msgId] = ref.split()
-            status, msg = imap.fetch(msgId, 'BODY[TEXT]')
-            assert status == 'OK'
-            assert msg[0][1].strip() == b'This is a test message.'
-      '')
-    ];
-  };
-
-  testScript = /* python */ ''
-    main.wait_for_unit("stalwart-mail.service")
-    main.wait_for_open_port(587)
-    main.wait_for_open_port(143)
-
-    main.succeed("test-smtp-submission")
-    main.succeed("test-imap-read")
-  '';
-
-  meta = {
-    maintainers = with lib.maintainers; [ happysalada pacien ];
-  };
-})
+in
+lib.mapAttrs (_: package: makeStalwartTest { inherit package; }) stalwartPackages

nixos/tests/systemd-networkd-dhcpserver-static-leases.nix

@@ -24,6 +24,8 @@ import ./make-test-python.nix ({ lib, ... }: {
           "01-eth1" = {
             name = "eth1";
             networkConfig = {
+              # IPForward prevents dynamic address configuration
+              IPForward = true;
               DHCPServer = true;
               Address = "10.0.0.1/24";
             };
@@ -41,20 +43,30 @@ import ./make-test-python.nix ({ lib, ... }: {
     client = {
       virtualisation.vlans = [ 1 ];
       systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
-      networking = {
-        useNetworkd = true;
-        useDHCP = false;
-        firewall.enable = false;
-        interfaces.eth1 = {
-          useDHCP = true;
-          macAddress = "02:de:ad:be:ef:01";
+      systemd.network = {
+        enable = true;
+        links."10-eth1" = {
+          matchConfig.OriginalName = "eth1";
+          linkConfig.MACAddress = "02:de:ad:be:ef:01";
+        };
+        networks."40-eth1" = {
+          matchConfig.Name = "eth1";
+          networkConfig = {
+            DHCP = "ipv4";
+            IPv6AcceptRA = false;
+          };
+          # This setting is important to have the router assign the
+          # configured lease based on the client's MAC address. Also see:
+          # https://github.com/systemd/systemd/issues/21368#issuecomment-982193546
+          dhcpV4Config.ClientIdentifier = "mac";
+          linkConfig.RequiredForOnline = "routable";
         };
       };
-
-      # This setting is important to have the router assign the
-      # configured lease based on the client's MAC address. Also see:
-      # https://github.com/systemd/systemd/issues/21368#issuecomment-982193546
-      systemd.network.networks."40-eth1".dhcpV4Config.ClientIdentifier = "mac";
+      networking = {
+        useDHCP = false;
+        firewall.enable = false;
+        interfaces.eth1 = lib.mkForce {};
+      };
     };
   };
   testScript = ''

nixos/tests/teleport.nix

@@ -9,7 +9,6 @@ with import ../lib/testing-python.nix { inherit system pkgs; };
 let
   packages = with pkgs; {
     "default" = teleport;
-    "13" = teleport_13;
     "14" = teleport_14;
   };
 

nixos/tests/turbovnc-headless-server.nix

@@ -24,11 +24,14 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
     };
 
     # So that we can ssh into the VM, see e.g.
-    # http://blog.patapon.info/nixos-local-vm/#accessing-the-vm-with-ssh
+    # https://nixos.org/manual/nixos/stable/#sec-nixos-test-port-forwarding
     services.openssh.enable = true;
-    services.openssh.settings.PermitRootLogin = "yes";
-    users.extraUsers.root.password = "";
     users.mutableUsers = false;
+    # `test-instrumentation.nix` already sets an empty root password.
+    # The following have to all be set to allow an empty SSH login password.
+    services.openssh.settings.PermitRootLogin = "yes";
+    services.openssh.settings.PermitEmptyPasswords = "yes";
+    security.pam.services.sshd.allowNullPassword = true; # the default `UsePam yes` makes this necessary
   };
 
   testScript = ''
@@ -124,7 +127,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
         machine.wait_until_succeeds("test -f /tmp/glxgears-should-fail.stderr")
         wait_until_terminated_or_succeeds(
             termination_check_shell_command="pidof glxgears",
-            success_check_shell_command="grep 'libGL error: failed to load driver: swrast' /tmp/glxgears-should-fail.stderr",
+            success_check_shell_command="grep 'MESA-LOADER: failed to open swrast' /tmp/glxgears-should-fail.stderr",
             get_detail_message_fn=lambda: "Contents of /tmp/glxgears-should-fail.stderr:\n"
             + machine.succeed("cat /tmp/glxgears-should-fail.stderr"),
         )

pkgs/applications/audio/ledfx/default.nix

@@ -6,12 +6,12 @@
 
 python3.pkgs.buildPythonPackage rec {
   pname = "ledfx";
-  version = "2.0.96";
+  version = "2.0.99";
   pyproject = true;
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-nvPHAnoD5j1rneeuMufQkXj8YWXau2zJYug+Avpe87I=";
+    hash = "sha256-pwrAVcIwZ3RDYFMDk80q5aVSqLTQ5weZqgB3GRRu2ig=";
   };
 
   pythonRelaxDeps = true;
@@ -58,6 +58,7 @@ python3.pkgs.buildPythonPackage rec {
     sounddevice
     stupidartnet
     uvloop
+    vnoise
     voluptuous
     zeroconf
   ];
@@ -71,5 +72,6 @@ python3.pkgs.buildPythonPackage rec {
     changelog = "https://github.com/LedFx/LedFx/blob/${version}/CHANGELOG.rst";
     license = licenses.gpl3Only;
     maintainers = teams.c3d2.members;
+    mainProgram = "ledfx";
   };
 }

pkgs/applications/audio/mpdevil/default.nix

@@ -1,56 +0,0 @@
-{ lib, fetchFromGitHub
-, pkg-config, meson ,ninja
-, python3Packages
-, gdk-pixbuf, glib, gobject-introspection, gtk3
-, libnotify
-, wrapGAppsHook3 }:
-
-python3Packages.buildPythonApplication rec {
-  pname = "mpdevil";
-  version = "1.11.0";
-
-  src = fetchFromGitHub {
-    owner = "SoongNoonien";
-    repo = pname;
-    rev = "refs/tags/v${version}";
-    sha256 = "sha256-ooNZSsVtIeueqgj9hR9OZp08qm8gGokiq8IU3U/ZV5w=";
-  };
-
-  format = "other";
-
-  nativeBuildInputs = [
-    glib.dev gobject-introspection gtk3 pkg-config meson ninja wrapGAppsHook3
-  ];
-
-  buildInputs = [
-    gdk-pixbuf glib libnotify
-  ];
-
-  propagatedBuildInputs = with python3Packages; [
-    beautifulsoup4 distutils-extra mpd2 notify-py pygobject3 requests
-  ];
-
-  postInstall = ''
-    glib-compile-schemas $out/share/glib-2.0/schemas
-  '';
-
-  preFixup = ''
-    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
-  '';
-
-  # Prevent double wrapping.
-  dontWrapGApps = true;
-  # Otherwise wrapGAppsHook3 do not pick up the dependencies correctly.
-  strictDeps = false;
-  # There aren't any checks.
-  doCheck = false;
-
-  meta = with lib; {
-    description = "A simple music browser for MPD";
-    homepage = "https://github.com/SoongNoonien/mpdevil";
-    license = licenses.gpl3Plus;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ apfelkuchen6 ];
-    mainProgram = "mpdevil";
-  };
-}

pkgs/applications/audio/pyradio/default.nix

@@ -6,13 +6,13 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "pyradio";
-  version = "0.9.3.6";
+  version = "0.9.3.7";
 
   src = fetchFromGitHub {
     owner = "coderholic";
     repo = "pyradio";
     rev = "refs/tags/${version}";
-    hash = "sha256-As4xjwJtEKlnFuBigC7nN0kAPe0+99rE9KZ0F6i7qIQ=";
+    hash = "sha256-NwDVytD6nIM++ixGmLh02FIE+hLKHBwwD3aEAXVZn7I=";
   };
 
   nativeBuildInputs = [

pkgs/applications/editors/gnome-builder/default.nix

@@ -40,15 +40,15 @@
 , xvfb-run
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "gnome-builder";
-  version = "46.1";
+  version = "46.2";
 
   outputs = [ "out" "devdoc" ];
 
   src = fetchurl {
-    url = "mirror://gnome/sources/${pname}/${lib.versions.major version}/${pname}-${version}.tar.xz";
-    hash = "sha256-lhaWbVIqLIUCizPAm605cudp6fkK91VNXnGDfb3HiHE=";
+    url = "mirror://gnome/sources/gnome-builder/${lib.versions.major finalAttrs.version}/gnome-builder-${finalAttrs.version}.tar.xz";
+    hash = "sha256-DIV7iQA7JHh/Kx0qrhLSdaB0xmhLSIA7SMACdtk3GWM=";
   };
 
   patches = [
@@ -154,7 +154,7 @@ stdenv.mkDerivation rec {
   '';
 
   passthru.updateScript = gnome.updateScript {
-    packageName = pname;
+    packageName = "gnome-builder";
   };
 
   meta = with lib; {
@@ -175,4 +175,4 @@ stdenv.mkDerivation rec {
     platforms = platforms.linux;
     mainProgram = "gnome-builder";
   };
-}
+})

pkgs/applications/editors/vscode/extensions/default.nix

@@ -3294,6 +3294,21 @@ let
         };
       };
 
+      phind.phind = buildVscodeMarketplaceExtension {
+        mktplcRef = {
+          name = "phind";
+          publisher = "phind";
+          version = "0.22.2";
+          hash = "sha256-nN/7IVa4WaA5V39CHx0nrvWBmBNtISvAINTQzk02x1w=";
+        };
+        meta = {
+          description = "Using Phind AI service to provide answers based on the code context";
+          downloadPage = "https://marketplace.visualstudio.com/items?itemName=phind.phind";
+          license = lib.licenses.unfree;
+          maintainers = [ lib.maintainers.onny ];
+        };
+      };
+
       phoenixframework.phoenix = buildVscodeMarketplaceExtension {
         mktplcRef = {
           name = "phoenix";
@@ -4733,6 +4748,23 @@ let
         };
       };
 
+      xdebug.php-debug = buildVscodeMarketplaceExtension {
+        mktplcRef = {
+          name = "php-debug";
+          publisher = "xdebug";
+          version = "1.34.0";
+          hash = "sha256-WAcXWCMmvuw7nkfGcOgmK+s+Nw6XpvNR4POXD85E/So=";
+        };
+        meta = {
+          description = "PHP Debug Adapter";
+          license = lib.licenses.mit;
+          homepage = "https://github.com/xdebug/vscode-php-debug";
+          changelog = "https://github.com/xdebug/vscode-php-debug/blob/main/CHANGELOG.md";
+          downloadPage = "https://marketplace.visualstudio.com/items?itemName=xdebug.php-debug";
+          maintainers = [ lib.maintainers.onny ];
+        };
+      };
+
       xyz.local-history = buildVscodeMarketplaceExtension {
         mktplcRef = {
           name = "local-history";

pkgs/applications/editors/vscode/extensions/ms-vscode.cpptools/default.nix

@@ -73,6 +73,8 @@ vscode-utils.buildVscodeMarketplaceExtension {
     stdenv.cc.cc.lib
   ];
 
+  dontAutoPatchelf = true;
+
   postPatch = ''
     mv ./package.json ./package_orig.json
 
@@ -87,18 +89,27 @@ vscode-utils.buildVscodeMarketplaceExtension {
     touch "./install.lock"
 
     # Clang-format from nix package.
-    mv ./LLVM/ ./LLVM_orig
+    rm -rf ./LLVM
     mkdir "./LLVM/"
     find "${clang-tools}" -mindepth 1 -maxdepth 1 | xargs ln -s -t "./LLVM"
 
     # Patching binaries
-    chmod +x bin/cpptools bin/cpptools-srv bin/cpptools-wordexp debugAdapters/bin/OpenDebugAD7
+    chmod +x bin/cpptools bin/cpptools-srv bin/cpptools-wordexp bin/libc.so debugAdapters/bin/OpenDebugAD7
     patchelf --replace-needed liblttng-ust.so.0 liblttng-ust.so.1 ./debugAdapters/bin/libcoreclrtraceptprovider.so
   '';
 
-  postFixup = lib.optionalString gdbUseFixed ''
-    wrapProgram $out/share/vscode/extensions/ms-vscode.cpptools/debugAdapters/bin/OpenDebugAD7 --prefix PATH : ${lib.makeBinPath [ gdb ]}
-  '';
+  postFixup =
+    ''
+      autoPatchelf $out/share/vscode/extensions/ms-vscode.cpptools/debugAdapters
+
+      # cpptools* are distributed by the extension and need to be run through the distributed musl interpretter
+      patchelf --set-interpreter $out/share/vscode/extensions/ms-vscode.cpptools/bin/libc.so $out/share/vscode/extensions/ms-vscode.cpptools/bin/cpptools
+      patchelf --set-interpreter $out/share/vscode/extensions/ms-vscode.cpptools/bin/libc.so $out/share/vscode/extensions/ms-vscode.cpptools/bin/cpptools-srv
+      patchelf --set-interpreter $out/share/vscode/extensions/ms-vscode.cpptools/bin/libc.so $out/share/vscode/extensions/ms-vscode.cpptools/bin/cpptools-wordexp
+    ''
+    + lib.optionalString gdbUseFixed ''
+      wrapProgram $out/share/vscode/extensions/ms-vscode.cpptools/debugAdapters/bin/OpenDebugAD7 --prefix PATH : ${lib.makeBinPath [ gdb ]}
+    '';
 
   meta = {
     description = "The C/C++ extension adds language support for C/C++ to Visual Studio Code, including features such as IntelliSense and debugging.";

pkgs/applications/emulators/punes/default.nix

@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , fetchFromGitHub
+, fetchpatch
 , gitUpdater
 , cmake
 , pkg-config
@@ -27,6 +28,16 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-TIXjYkInWV3yVnvXrdHcmeWYeps5TcvkG2Xjg4roIds=";
   };
 
+  patches = [
+    # Fix FTBFS with Qt 6.7.1
+    # Remove when https://github.com/punesemu/puNES/pull/403 merged & in release
+    (fetchpatch {
+      name = "0001-punes-Fix-compatibility-with-Qt-6.7.1.patch";
+      url = "https://github.com/punesemu/puNES/commit/78c72d2dfcd570e7463a78da10904cebae6127f5.patch";
+      hash = "sha256-xRalKIOb1qWgqJsFLcm7uUOblEfHDYbkukmcr4/+4Qc=";
+    })
+  ];
+
   nativeBuildInputs = [
     cmake
     pkg-config

pkgs/applications/gis/qgis/unwrapped-ltr.nix

@@ -77,14 +77,14 @@ let
     urllib3
   ];
 in mkDerivation rec {
-  version = "3.34.6";
+  version = "3.34.7";
   pname = "qgis-ltr-unwrapped";
 
   src = fetchFromGitHub {
     owner = "qgis";
     repo = "QGIS";
     rev = "final-${lib.replaceStrings [ "." ] [ "_" ] version}";
-    hash = "sha256-eWd8oIINWVN5Dt6s4bc1RtQbytFd0foPgIcd/N2hsMw=";
+    hash = "sha256-6fIBmIoCVo0AtkjC4Vn3jMjz93gZmvkFAgo+KnasyXo=";
   };
 
   passthru = {

pkgs/applications/gis/qgis/unwrapped.nix

@@ -78,14 +78,14 @@ let
     urllib3
   ];
 in mkDerivation rec {
-  version = "3.36.2";
+  version = "3.36.3";
   pname = "qgis-unwrapped";
 
   src = fetchFromGitHub {
     owner = "qgis";
     repo = "QGIS";
     rev = "final-${lib.replaceStrings [ "." ] [ "_" ] version}";
-    hash = "sha256-/8mpzl/6UpjrMVjae2nqpS2DBRCq86rE+B3INzoRz8g=";
+    hash = "sha256-uPyW/zzoyyd3SXvP+h9joJEv9DjRNJSaorx1rNmAaFQ=";
   };
 
   passthru = {

pkgs/applications/graphics/ImageMagick/default.nix

@@ -135,7 +135,10 @@ stdenv.mkDerivation (finalAttrs: {
     inherit nixos-icons;
     inherit (perlPackages) ImageMagick;
     inherit (python3.pkgs) img2pdf;
-    pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
+    pkg-config = testers.hasPkgConfigModules {
+      package = finalAttrs.finalPackage;
+      version = lib.head (lib.splitString "-" finalAttrs.version);
+    };
   };
 
   meta = with lib; {

pkgs/applications/graphics/f3d/default.nix

@@ -10,13 +10,14 @@
 , libGL
 , Cocoa
 , OpenGL
+, withManual ? !stdenv.isDarwin
 }:
 
 stdenv.mkDerivation rec {
   pname = "f3d";
   version = "2.4.0";
 
-  outputs = [ "out" "man" ];
+  outputs = [ "out" ] ++ lib.optionals withManual [ "man" ];
 
   src = fetchFromGitHub {
     owner = "f3d-app";
@@ -27,8 +28,11 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [
     cmake
+  ] ++ lib.optionals withManual [
+    # manpage
     help2man
     gzip
+  ] ++ lib.optionals stdenv.hostPlatform.isElf [
     # https://github.com/f3d-app/f3d/pull/1217
     autoPatchelfHook
   ];
@@ -41,7 +45,7 @@ stdenv.mkDerivation rec {
     "-DCMAKE_INSTALL_LIBDIR=lib"
     "-DCMAKE_INSTALL_INCLUDEDIR=include"
     "-DCMAKE_INSTALL_BINDIR=bin"
-
+  ] ++ lib.optionals withManual [
     "-DF3D_LINUX_GENERATE_MAN=ON"
   ];
 

pkgs/applications/graphics/gnome-obfuscate/default.nix

@@ -20,20 +20,20 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gnome-obfuscate";
-  version = "0.0.9";
+  version = "0.0.10";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
     owner = "World";
     repo = "Obfuscate";
     rev = finalAttrs.version;
-    hash = "sha256-aUhzact437V/bSsG2Ddu2mC03LbyXFg+hJiuGy5NQfQ=";
+    hash = "sha256-/Plvvn1tle8t/bsPcsamn5d81CqnyGCyGYPF6j6U5NI=";
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit (finalAttrs) src;
     name = "${finalAttrs.pname}-${finalAttrs.version}";
-    hash = "sha256-HUQvdCmzjdmuJGDLtC/86yzbRimLzx+XbW29f+Ua48w=";
+    hash = "sha256-9lrxK2psdIPGsOC6p8T+3AGPrX6PjrK9mFirdJqBSMM=";
   };
 
   nativeBuildInputs = [

pkgs/applications/graphics/rnote/default.nix

@@ -93,5 +93,7 @@ stdenv.mkDerivation rec {
     license = licenses.gpl3Plus;
     maintainers = with maintainers; [ dotlambda gepbird yrd ];
     platforms = platforms.unix;
+    # compiler error since 2023-11-17
+    broken = stdenv.isDarwin;
   };
 }

pkgs/applications/misc/1password-gui/default.nix

@@ -9,43 +9,43 @@
 let
 
   pname = "1password";
-  version = if channel == "stable" then "8.10.30" else "8.10.30-20.BETA";
+  version = if channel == "stable" then "8.10.33" else "8.10.34-10.BETA";
 
   sources = {
     stable = {
       x86_64-linux = {
         url = "https://downloads.1password.com/linux/tar/stable/x86_64/1password-${version}.x64.tar.gz";
-        hash = "sha256-q1PKFpBgjada7jmeXZYmH8dvy2A4lwfrQ0jQSoHVNcg=";
+        hash = "sha256-njSvRi/sA7l5+XxfCpv3FY9SmCv5oPix9l2EZewZg1M=";
       };
       aarch64-linux = {
         url = "https://downloads.1password.com/linux/tar/stable/aarch64/1password-${version}.arm64.tar.gz";
-        hash = "sha256-Zv/mnykPi9PCDX44JtGi0GPrOujSmjx1BBJuEB81CwE=";
+        hash = "sha256-g4RMTlBQvJQaPD/6scYjpe7NWrL6gkjvh5b9LubTWaE=";
       };
       x86_64-darwin = {
         url = "https://downloads.1password.com/mac/1Password-${version}-x86_64.zip";
-        hash = "sha256-unC1cz5ooSdu4Csf7/daCyPdMy3/Lp3a76B7TBa/VXk=";
+        hash = "sha256-YzAYMk3SR+paIQYAZCx840u/k77soy17F15owpqRAU0=";
       };
       aarch64-darwin = {
         url = "https://downloads.1password.com/mac/1Password-${version}-aarch64.zip";
-        hash = "sha256-DS6oCdr6srF+diL68a2gOskS4x+uj1i8DtL3uaaxv/I=";
+        hash = "sha256-FlJnPMIv7mWh3dSACq01f16mB9EkVD2LOg3IIpvjwdY=";
       };
     };
     beta = {
       x86_64-linux = {
         url = "https://downloads.1password.com/linux/tar/beta/x86_64/1password-${version}.x64.tar.gz";
-        hash = "sha256-6I/3o+33sIkfyef8xGUWczaWykHPcvvAGv0xy/jCkKI=";
+        hash = "sha256-eX7D8D5KErFIQtyvg4oT+lR3A7sfRFpDMT7duigZTz0=";
       };
       aarch64-linux = {
         url = "https://downloads.1password.com/linux/tar/beta/aarch64/1password-${version}.arm64.tar.gz";
-        hash = "sha256-ph6DBBUzdUHtYCAQiA1me3bevtVPEgIxtwbgbdgQcGY=";
+        hash = "sha256-dajdeU8TtD9Dbnp2MFedAl8tuQr275cUqGAnm/VF+OE=";
       };
       x86_64-darwin = {
         url = "https://downloads.1password.com/mac/1Password-${version}-x86_64.zip";
-        hash = "sha256-XzZOj1pfoCTGMTsqZlI8hKTDRJ4w7debAPYHIIwsyyY=";
+        hash = "sha256-Dm8v7B8qDSBe1i7OJKQFn7YDPkw3Qj8YVtQkaQmdKuc=";
       };
       aarch64-darwin = {
         url = "https://downloads.1password.com/mac/1Password-${version}-aarch64.zip";
-        hash = "sha256-s+hnKhI2s6E1ZyJQxs3Wggy60LxCEr+u3tRtjTgjmZk=";
+        hash = "sha256-QSxJoVPlOQU7hbvbuVcB/kf5umRjJQuygMkXq6lE1CQ=";
       };
     };
   };

pkgs/applications/misc/gmnitohtml/default.nix

@@ -2,15 +2,15 @@
 
 buildGoModule rec {
   pname = "gmnitohtml";
-  version = "0.1.2";
+  version = "0.1.3";
 
   src = fetchFromSourcehut {
     owner = "~adnano";
     repo = pname;
     rev = version;
-    hash = "sha256-nKNSLVBBdZI5mkbEUkMv0CIOQIyH3OX+SEFf5O47DFY=";
+    hash = "sha256-9lsZgh/OyxAu1rsixD6XUgQzR1xDGOxGt0sR12zrs2M=";
   };
-  vendorHash = "sha256-Cx8x8AISRVTA4Ufd73vOVky97LX23NkizHDingr/zVk=";
+  vendorHash = "sha256-ppplXXqb2DM/AU+B+LefndrBiiTgCRNw6hEupfeWr+o=";
 
   ldflags = [ "-s" "-w" ];
 
@@ -18,11 +18,11 @@ buildGoModule rec {
   nativeBuildInputs = [ scdoc installShellFiles ];
 
   postBuild = ''
-    make gmnitohtml.1
+    make docs
   '';
 
   postInstall = ''
-    installManPage gmnitohtml.1
+    installManPage docs/gmnitohtml.1
   '';
 
   doInstallCheck = true;

pkgs/applications/misc/gnome-firmware/default.nix

@@ -20,14 +20,14 @@
 
 stdenv.mkDerivation rec {
   pname = "gnome-firmware";
-  version = "45.0";
+  version = "46.0";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
     owner = "World";
     repo = "gnome-firmware";
     rev = version;
-    sha256 = "sha256-KVyxOl7RdL80ZiEyiT+XGa/6Ss2g+5y+LIrR9TSRE+I=";
+    sha256 = "sha256-tEMSlKsqqPMZA0Gr89+u3dmAmZ7ffQm/2i1AB93y05E=";
   };
 
   nativeBuildInputs = [

pkgs/applications/misc/pdfslicer/default.nix

@@ -45,6 +45,10 @@ stdenv.mkDerivation rec {
     qpdf
   ];
 
+  CXXFLAGS =
+    # Pending upstream compatibility with GCC 13
+    lib.optional (stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "13") "-Wno-changes-meaning";
+
   meta = with lib; {
     description = "A simple application to extract, merge, rotate and reorder pages of PDF documents";
     homepage = "https://junrrein.github.io/pdfslicer/";

pkgs/applications/misc/phoc/default.nix

@@ -13,6 +13,7 @@
 , gnome-desktop
 , glib
 , gtk3
+, json-glib
 , wayland
 , libdrm
 , libxkbcommon
@@ -51,6 +52,7 @@ stdenv.mkDerivation (finalAttrs: {
     gnome-desktop
     # For keybindings settings schemas
     gnome.mutter
+    json-glib
     wayland
     finalAttrs.wlroots
     xorg.xcbutilwm

pkgs/applications/misc/remnote/default.nix

@@ -1,50 +1,25 @@
-{ lib, stdenv, fetchurl, appimageTools, makeDesktopItem }:
-
-stdenv.mkDerivation (finalAttrs: let
-  inherit (finalAttrs) pname version src appexec icon desktopItem;
-
-in
 {
+  lib,
+  fetchurl,
+  appimageTools,
+}:
+let
   pname = "remnote";
-  version = "1.16.4";
-
+  version = "1.16.18";
   src = fetchurl {
-    url = "https://download.remnote.io/remnote-desktop/RemNote-${version}.AppImage";
-    hash = "sha256-dgbQ0cbPq7BSQ9VwwH6+GoAxb85HDxRixfjeDJBtOrg=";
+    url = "https://download2.remnote.io/remnote-desktop2/RemNote-${version}.AppImage";
+    hash = "sha256-ps7Rl1oA2QOPvO2XeCY8DrWtCV9WPlX9jbhypz2ZARA=";
   };
+  appimageContents = appimageTools.extractType2 { inherit pname version src; };
+in
+appimageTools.wrapType2 {
+  inherit pname version src;
 
-  appexec = appimageTools.wrapType2 {
-    inherit pname version src;
-  };
-
-  icon = fetchurl {
-    url = "https://www.remnote.io/icon.png";
-    hash = "sha256-r5D7fNefKPdjtmV7f/88Gn3tqeEG8LGuD4nHI/sCk94=";
-  };
-
-  desktopItem = makeDesktopItem {
-    type = "Application";
-    name = "remnote";
-    desktopName = "RemNote";
-    comment = "Spaced Repetition";
-    icon = "remnote";
-    exec = "remnote %u";
-    categories = [ "Office" ];
-    mimeTypes = [ "x-scheme-handler/remnote" "x-scheme-handler/rn" ];
-  };
-
-  dontUnpack = true;
-  dontConfigure = true;
-  dontBuild = true;
-
-  installPhase = ''
-    runHook preInstall
-
-    install -Dm755 ${appexec}/bin/remnote $out/bin/remnote
-    install -Dm444 "${desktopItem}/share/applications/"* -t $out/share/applications/
-    install -Dm444 ${icon} $out/share/pixmaps/remnote.png
-
-    runHook postInstall
+  extraInstallCommands = ''
+    install -Dm444 ${appimageContents}/remnote.desktop -t $out/share/applications
+    substituteInPlace $out/share/applications/remnote.desktop \
+      --replace-fail 'Exec=AppRun --no-sandbox %U' 'Exec=remnote %u'
+    install -Dm444 ${appimageContents}/remnote.png -t $out/share/pixmaps
   '';
 
   meta = with lib; {
@@ -55,4 +30,4 @@ in
     platforms = [ "x86_64-linux" ];
     mainProgram = "remnote";
   };
-})
+}

pkgs/applications/networking/browsers/brave/default.nix

@@ -6,17 +6,17 @@ callPackage ./make-brave.nix (removeAttrs args [ "callPackage" ])
     if stdenv.isAarch64 then
       {
         pname = "brave";
-        version = "1.66.110";
-        url = "https://github.com/brave/brave-browser/releases/download/v1.66.110/brave-browser_1.66.110_arm64.deb";
-        hash = "sha256-yElWlzGdI+mopmPgXTABXncoufojHngRX88TCy3AE+E=";
+        version = "1.66.115";
+        url = "https://github.com/brave/brave-browser/releases/download/v1.66.115/brave-browser_1.66.115_arm64.deb";
+        hash = "sha256-zOrulR0a/iRYtjdFiyN0V6q0KktD7G0ZrEYSXfIwaL8=";
         platform = "aarch64-linux";
       }
     else if stdenv.isx86_64 then
       {
         pname = "brave";
-        version = "1.66.110";
-        url = "https://github.com/brave/brave-browser/releases/download/v1.66.110/brave-browser_1.66.110_amd64.deb";
-        hash = "sha256-2KtTI9QODfQR25YzXJMXJspuzCS11FpDx2L1B8DWmmc=";
+        version = "1.66.115";
+        url = "https://github.com/brave/brave-browser/releases/download/v1.66.115/brave-browser_1.66.115_amd64.deb";
+        hash = "sha256-TMQips7dyxKfYEin7QJCV0ru4NHi4j3DjLh2fmzuYeQ=";
         platform = "x86_64-linux";
       }
     else

pkgs/applications/networking/browsers/chromium/upstream-info.nix

@@ -1,11 +1,11 @@
 {
   stable = {
     chromedriver = {
-      hash_darwin = "sha256-DX0J3xeOK4Dy4BAjbrbu1rnIkmF8nlmy9tMaQhLsFcU=";
+      hash_darwin = "sha256-1gi+hWrVL+mBB8pHMXnX/8kzRCQqGuut/+wO/9yBABs=";
       hash_darwin_aarch64 =
-        "sha256-hRJeaeQS30srO5M1Gi43VYR/KrjNAhH0XozkEzvcbA0=";
-      hash_linux = "sha256-CcBQhIsK7mL7VNJCs6ynhrQeXPuB793DysyV1nj90mM=";
-      version = "125.0.6422.76";
+        "sha256-skYFjXBvv+2u/K770Dd3uxFYFer6GGx/EgWfAgzE9pI=";
+      hash_linux = "sha256-67rXlDJeDSpcpEhNQq0rVS2bSWPy3GXVnTo6dwKAnZU=";
+      version = "125.0.6422.78";
     };
     deps = {
       gn = {
@@ -15,8 +15,8 @@
         version = "2024-04-10";
       };
     };
-    hash = "sha256-m7WeRloS6tGH2AwhkNicpqThUQmS+9w2xFS2dbmu1vw=";
-    version = "125.0.6422.76";
+    hash = "sha256-EA8TzemtndFb8qAp4XWNjwWmNRz/P4Keh3k1Cn9qLEU=";
+    version = "125.0.6422.112";
   };
   ungoogled-chromium = {
     deps = {
@@ -27,11 +27,11 @@
         version = "2024-04-10";
       };
       ungoogled-patches = {
-        hash = "sha256-I3RQBa4LLuOdZQFKHIqePj9Ozw61dsuAOctqN1abij0=";
-        rev = "125.0.6422.60-1";
+        hash = "sha256-vHnXIrDdHGIe8byb41CiEWq3FPTecKg006dU7+iESKA=";
+        rev = "125.0.6422.112-1";
       };
     };
-    hash = "sha256-ewX7oRna7IYCXhAe98HS5HbS1psIEAguhZJ1ymK+dPE=";
-    version = "125.0.6422.60";
+    hash = "sha256-EA8TzemtndFb8qAp4XWNjwWmNRz/P4Keh3k1Cn9qLEU=";
+    version = "125.0.6422.112";
   };
 }

pkgs/applications/networking/browsers/firefox/packages.nix

@@ -3,10 +3,10 @@
 {
   firefox = buildMozillaMach rec {
     pname = "firefox";
-    version = "126.0";
+    version = "126.0.1";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "56025b051d544ca294911a1d6a66f09945f71012131881b64313dafb579730810a4b091950c90a21d4fd3f393ba23670d8409086e1677d80d0bbbe347c303527";
+      sha512 = "249605c4891ee9271def187d161369bd3ccbd347f5f0e175d0239aced3cb9ae9655d3c134b7705bda80ea1e63c0a2ee8eb4e76db0840019683376c00f20fc7ac";
     };
 
     extraPatches = [

pkgs/applications/networking/browsers/ladybird/default.nix

@@ -22,11 +22,11 @@
 
 let
   inherit (builtins) elemAt;
-  cldr_version = "44.1.0";
+  cldr_version = "45.0.0";
   cldr-json = fetchzip {
     url = "https://github.com/unicode-org/cldr-json/releases/download/${cldr_version}/cldr-${cldr_version}-json-modern.zip";
     stripRoot = false;
-    hash = "sha256-EbbzaaspKgRT/dsJV3Kf0Dfj8LN9zT+Pl4gk5kiOXWk=";
+    hash = "sha256-BPDvYjlvJMudX/YlS7HrwKEABYx+1KzjiFlLYA5+Oew=";
     postFetch = ''
       echo -n ${cldr_version} > $out/version.txt
     '';
@@ -50,30 +50,40 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "ladybird";
-  version = "0-unstable-2024-03-16";
+  version = "0-unstable-2024-05-26";
 
   src = fetchFromGitHub {
     owner = "SerenityOS";
     repo = "serenity";
-    rev = "3a8bde9ef24dace600484b38992fdc7d17bf92c3";
-    hash = "sha256-r8HYcexrOjDYsXuCtROiNY7Rl60pVQBvVQf190gqNuY=";
+    rev = "1a9d8e8fbe360f2d3b376ca0e13c507bd2cc6e8b";
+    hash = "sha256-+g/1F/v8nTVbvtSrtyvQbeYacjTlfRpg+Htu0lRlkcU=";
   };
 
-  sourceRoot = "${finalAttrs.src.name}/Ladybird";
+  patches = [
+    ./nixos-font-path.patch
+  ];
 
   postPatch = ''
     sed -i '/iconutil/d' CMakeLists.txt
 
     # Don't set absolute paths in RPATH
-    substituteInPlace ../Meta/CMake/lagom_install_options.cmake \
+    substituteInPlace Meta/CMake/lagom_install_options.cmake \
       --replace-fail "\''${CMAKE_INSTALL_BINDIR}" "bin" \
       --replace-fail "\''${CMAKE_INSTALL_LIBDIR}" "lib"
   '';
 
   preConfigure = ''
+    cd Ladybird
+
     # Setup caches for LibLocale, LibUnicode, LibTimezone, LibTLS and LibGfx
     # Note that the versions of the input data packages must match the
     # expected version in the package's CMake.
+
+    # Check that the versions match
+    grep -F 'set(CLDR_VERSION "${cldr_version}")' ../Meta/CMake/locale_data.cmake || (echo cldr_version mismatch && exit 1)
+    grep -F 'set(TZDB_VERSION "${tzdata.version}")' ../Meta/CMake/time_zone_data.cmake || (echo tzdata.version mismatch && exit 1)
+    grep -F 'set(CACERT_VERSION "${cacert_version}")' ../Meta/CMake/ca_certificates_data.cmake || (echo cacert_version mismatch && exit 1)
+
     mkdir -p build/Caches
 
     ln -s ${cldr-json} build/Caches/CLDR

pkgs/applications/networking/browsers/ladybird/nixos-font-path.patch

@@ -0,0 +1,12 @@
+diff --git a/Userland/Libraries/LibCore/StandardPaths.cpp b/Userland/Libraries/LibCore/StandardPaths.cpp
+index 77ddbeb9..76481497 100644
+--- a/Userland/Libraries/LibCore/StandardPaths.cpp
++++ b/Userland/Libraries/LibCore/StandardPaths.cpp
+@@ -205,6 +205,7 @@ ErrorOr<Vector<String>> StandardPaths::font_directories()
+         "/Library/Fonts"_string,
+         TRY(String::formatted("{}/Library/Fonts"sv, home_directory())),
+ #    else
++        "/run/current-system/sw/share/X11/fonts"_string,
+         "/usr/share/fonts"_string,
+         "/usr/local/share/fonts"_string,
+         TRY(String::formatted("{}/.local/share/fonts"sv, home_directory())),

pkgs/applications/networking/browsers/netsurf/libparserutils.nix

@@ -3,7 +3,7 @@
 , fetchurl
 , perl
 , buildsystem
-, iconv
+, libiconv
 }:
 
 stdenv.mkDerivation (finalAttrs: {
@@ -18,7 +18,8 @@ stdenv.mkDerivation (finalAttrs: {
   buildInputs = [
     perl
     buildsystem
-    iconv
+  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    libiconv
   ];
 
   makeFlags = [

pkgs/applications/networking/browsers/palemoon/bin.nix

@@ -20,7 +20,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "palemoon-bin";
-  version = "33.1.0";
+  version = "33.1.1";
 
   src = finalAttrs.passthru.sources."gtk${if withGTK3 then "3" else "2"}";
 
@@ -158,11 +158,11 @@ stdenv.mkDerivation (finalAttrs: {
     in {
       gtk3 = fetchzip {
         urls = urlRegionVariants "gtk3";
-        hash = "sha256-qjztSvNL7KNFG3sszgk5qH77do0HFQ8YTrgjFi2ZM00=";
+        hash = "sha256-0i0hXC6mC1SY2V6ANMXHS4LZ/HZk8FUsSDQfQUE14IM=";
       };
       gtk2 = fetchzip {
         urls = urlRegionVariants "gtk2";
-        hash = "sha256-q4zAmnCN9SHGb8PthjAx7d5FKq/oAQ8c0R+U1SWqjAA=";
+        hash = "sha256-RnBlCxIsWxm6BbtAS0YKHtix93N6t9jihFItqhtLhRU=";
       };
     };
 
@@ -215,7 +215,7 @@ stdenv.mkDerivation (finalAttrs: {
         # TODO free, redistributable? Has strict limitations on what modifications may be done & shipped by packagers
       }
     ];
-    maintainers = with maintainers; [ AndersonTorres OPNA2608 ];
+    maintainers = with maintainers; [ OPNA2608 ];
     sourceProvenance = with sourceTypes; [ binaryNativeCode ];
     mainProgram = "palemoon";
     platforms = [ "x86_64-linux" ];

pkgs/applications/networking/cluster/k3s/1_28/versions.nix

@@ -1,8 +1,8 @@
 {
-  k3sVersion = "1.28.9+k3s1";
-  k3sCommit = "289a1a3edbc0f6ee5a7f91bf96aa1ed1b743bd1f";
-  k3sRepoSha256 = "0kms6r10k6v037r5lxxrp90bnynrgyrn61kqnzy2f5avny4blikh";
-  k3sVendorHash = "sha256-iUp2Maua3BnrC4Jq2ij0uOW5gYYZfz6e+TEdDtN0PT8=";
+  k3sVersion = "1.28.10+k3s1";
+  k3sCommit = "a4c5612ea3dd202135e7c691c534c671a7d43690";
+  k3sRepoSha256 = "00r06kc98nvbmaai8m2pbqsl0v6y3kbc3rz3l7lb9wy4qhiyxrww";
+  k3sVendorHash = "sha256-8PbpjPVX+Yimhwbydu9YOTIMRTf/iLG21Ee/QMowp5Y=";
   chartVersions = import ./chart-versions.nix;
   k3sRootVersion = "0.12.2";
   k3sRootSha256 = "1gjynvr350qni5mskgm7pcc7alss4gms4jmkiv453vs8mmma9c9k";

pkgs/applications/networking/dyndns/dyndnsc/default.nix

@@ -1,61 +1,83 @@
-{ lib, python3Packages, fetchPypi, stdenv }:
+{
+  lib,
+  stdenv,
+  python3Packages,
+  fetchPypi,
+}:
 
 python3Packages.buildPythonApplication rec {
   pname = "dyndnsc";
   version = "0.6.1";
+  pyproject = true;
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "13078d29eea2f9a4ca01f05676c3309ead5e341dab047e0d51c46f23d4b7fbb4";
+    hash = "sha256-EweNKe6i+aTKAfBWdsMwnq1eNB2rBH4NUcRvI9S3+7Q=";
   };
 
   postPatch = ''
-    substituteInPlace setup.py --replace "bottle==" "bottle>="
+    substituteInPlace setup.py \
+      --replace-fail '"pytest-runner"' ""
   '';
 
-  nativeBuildInputs = with python3Packages; [ pytest-runner ];
-  propagatedBuildInputs = with python3Packages; [
+  pythonRelaxDeps = [ "bottle" ];
+
+  build-system = with python3Packages; [ setuptools ];
+
+  nativeBuildInputs = with python3Packages; [ pythonRelaxDepsHook ];
+
+  dependencies = with python3Packages; [
     daemonocle
     dnspython
+    json-logging
     netifaces
     requests
-    json-logging
     setuptools
   ];
-  nativeCheckInputs = with python3Packages; [ bottle mock pytest-console-scripts pytestCheckHook ];
 
-  disabledTests = [
-    # dnswanip connects to an external server to discover the
-    # machine's IP address.
-    "dnswanip"
-  ] ++ lib.optionals stdenv.isDarwin [
-    # The tests that spawn a server using Bottle cannot be run on
-    # macOS or Windows as the default multiprocessing start method
-    # on those platforms is 'spawn', which requires the code to be
-    # run to be picklable, which this code isn't.
-    # Additionaly, other start methods are unsafe and prone to failure
-    # on macOS; see https://bugs.python.org/issue33725.
-    "BottleServer"
+  nativeCheckInputs = with python3Packages; [
+    bottle
+    pytest-console-scripts
+    pytestCheckHook
   ];
+
+  disabledTests =
+    [
+      # dnswanip connects to an external server to discover the
+      # machine's IP address.
+      "dnswanip"
+      # AssertionError
+      "test_null_dummy"
+    ]
+    ++ lib.optionals stdenv.isDarwin [
+      # The tests that spawn a server using Bottle cannot be run on
+      # macOS or Windows as the default multiprocessing start method
+      # on those platforms is 'spawn', which requires the code to be
+      # run to be picklable, which this code isn't.
+      # Additionaly, other start methods are unsafe and prone to failure
+      # on macOS; see https://bugs.python.org/issue33725.
+      "BottleServer"
+    ];
   # Allow tests that bind or connect to localhost on macOS.
   __darwinAllowLocalNetworking = true;
 
   meta = with lib; {
     description = "Dynamic DNS update client with support for multiple protocols";
-    mainProgram = "dyndnsc";
     longDescription = ''
       Dyndnsc is a command line client for sending updates to Dynamic
-      DNS (DDNS, DynDNS) services.  It supports multiple protocols and
-      services, and it has native support for IPv6.  The configuration
-      file allows using foreign, but compatible services.  Dyndnsc
+      DNS (DDNS, DynDNS) services. It supports multiple protocols and
+      services, and it has native support for IPv6. The configuration
+      file allows using foreign, but compatible services. Dyndnsc
       ships many different IP detection mechanisms, support for
       configuring multiple services in one place and it has a daemon
-      mode for running unattended.  It has a plugin system to provide
+      mode for running unattended. It has a plugin system to provide
       external notification services.
     '';
     homepage = "https://github.com/infothrill/python-dyndnsc";
+    changelog = "https://github.com/infothrill/python-dyndnsc/releases/tag/${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ AluisioASG ];
+    mainProgram = "dyndnsc";
     platforms = platforms.unix;
   };
 }

pkgs/applications/networking/instant-messengers/chatty/default.nix

@@ -15,6 +15,7 @@
 , gnome-desktop
 , gspell
 , gtk4
+, gtksourceview5
 , gst_all_1
 , json-glib
 , libgcrypt
@@ -28,17 +29,17 @@
 , plugins ? [ ]
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "chatty";
-  version = "0.8.2";
+  version = "0.8.3";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
     owner = "World";
     repo = "Chatty";
-    rev = "v${version}";
+    rev = "v${finalAttrs.version}";
     fetchSubmodules = true;
-    hash = "sha256-7SdoN9JjGwELOdISJwS1Afcydp/rE2uq/tHO/UrFKNU=";
+    hash = "sha256-Ywed/8PhOgmzcka+5dyxjmWTcDBPF90LW+C2eeQmyLo=";
   };
 
   nativeBuildInputs = [
@@ -59,6 +60,7 @@ stdenv.mkDerivation rec {
     gnome-desktop
     gspell
     gtk4
+    gtksourceview5
     gst_all_1.gstreamer
     json-glib
     libgcrypt
@@ -82,9 +84,9 @@ stdenv.mkDerivation rec {
     description = "XMPP and SMS messaging via libpurple and ModemManager";
     mainProgram = "chatty";
     homepage = "https://gitlab.gnome.org/World/Chatty";
-    changelog = "https://gitlab.gnome.org/World/Chatty/-/blob/${src.rev}/NEWS";
+    changelog = "https://gitlab.gnome.org/World/Chatty/-/blob/${finalAttrs.src.rev}/NEWS";
     license = licenses.gpl3Plus;
     maintainers = with maintainers; [ dotlambda ];
     platforms = platforms.linux;
   };
-}
+})

pkgs/applications/networking/instant-messengers/discord/default.nix

@@ -3,14 +3,14 @@ let
   versions =
     if stdenv.isLinux then {
       stable = "0.0.54";
-      ptb = "0.0.84";
-      canary = "0.0.382";
-      development = "0.0.18";
+      ptb = "0.0.85";
+      canary = "0.0.402";
+      development = "0.0.19";
     } else {
-      stable = "0.0.303";
-      ptb = "0.0.113";
-      canary = "0.0.492";
-      development = "0.0.40";
+      stable = "0.0.305";
+      ptb = "0.0.114";
+      canary = "0.0.510";
+      development = "0.0.41";
     };
   version = versions.${branch};
   srcs = rec {
@@ -21,33 +21,33 @@ let
       };
       ptb = fetchurl {
         url = "https://dl-ptb.discordapp.net/apps/linux/${version}/discord-ptb-${version}.tar.gz";
-        hash = "sha256-0bOsmy2ldZT7S4tVOkihE5eLiujXC/ugF8CKXfBXHNU=";
+        hash = "sha256-2RyilxldJX2wqKlEcrp6srj0O7UNHMxySRJD1xBfqMk=";
       };
       canary = fetchurl {
         url = "https://dl-canary.discordapp.net/apps/linux/${version}/discord-canary-${version}.tar.gz";
-        hash = "sha256-MXMq4V+21KPHoCUs5x1rNRbkfw6+3cF7xSSNguiqOfc=";
+        hash = "sha256-YE+sHmEkUCHLflSUgf4aotWWdzhbFyzozc3vLcJ96yA=";
       };
       development = fetchurl {
         url = "https://dl-development.discordapp.net/apps/linux/${version}/discord-development-${version}.tar.gz";
-        hash = "sha256-SoJ4/jXl0axQyeqv8CPSzM+lBsYq/QelHctRAeoscdA=";
+        hash = "sha256-RP6SUM4DW3JhddSbJX6Xg8EE4iqCkSOgBL1oa7Zwp/E=";
       };
     };
     x86_64-darwin = {
       stable = fetchurl {
         url = "https://dl.discordapp.net/apps/osx/${version}/Discord.dmg";
-        hash = "sha256-B4r0W//d3761ufQr4PAt4ZuPMrOC7Zfo8Q3lHqKxkJ0=";
+        hash = "sha256-UEKsweUvtVKXZDrdIYuo3FPSPrnY3ECIilntBs9ZrGU=";
       };
       ptb = fetchurl {
         url = "https://dl-ptb.discordapp.net/apps/osx/${version}/DiscordPTB.dmg";
-        hash = "sha256-hdT33jK0nHvY3rIh9i1eDq5j46xS9xInRxzGCUP/hi8=";
+        hash = "sha256-ahCgJ1aSLL7Mhx5Jjkeuqqlis8gqxHbIhQvlbUK2wIU=";
       };
       canary = fetchurl {
         url = "https://dl-canary.discordapp.net/apps/osx/${version}/DiscordCanary.dmg";
-        hash = "sha256-74XQu4PGW3eW4wPICGsAVlR4SQkDXJWZ1p/G7Bwq950=";
+        hash = "sha256-viWOmu1+6tpzNDN/q0kXRMo+rohOP6/L7ke2EeBEADg=";
       };
       development = fetchurl {
         url = "https://dl-development.discordapp.net/apps/osx/${version}/DiscordDevelopment.dmg";
-        hash = "sha256-uPz3uWPAqp3JeL9E+coMrb2Hc+Zn0YGF9Jw3BTKYRlw=";
+        hash = "sha256-RiGyca/zjPpENgcq9KnRh5G4YArrUOQeueUdUBgZgjo=";
       };
     };
     aarch64-darwin = x86_64-darwin;

pkgs/applications/networking/instant-messengers/element/pin.nix

@@ -1,9 +1,9 @@
 {
-  "version" = "1.11.66";
+  "version" = "1.11.67";
   "hashes" = {
-    "desktopSrcHash" = "sha256-QrFk6NIHvWgQuJz33CEU6rwmgtGZ9w3L9vqj/rdCkE8=";
-    "desktopYarnHash" = "1kin5z6cjgsljdhh5f4fq2782ld86pza6hz58rq1zwbd187nzbwz";
-    "webSrcHash" = "sha256-xWaK2tHsuZmiwp7HExX83zKL8Z0ScRCEOnfxePWk2KI=";
-    "webYarnHash" = "1ykjpsg4d4kykd6w7c0yjyg8ljpc9czzwjx7ab27i84ys6pknx3q";
+    "desktopSrcHash" = "sha256-oM4/PKydmIBp2zVbzJRbVYnklYO2IHH7ZBV4MfLxnQo=";
+    "desktopYarnHash" = "04dbsacigq5jrh7gpyxj31grwzsg58cy6d4y7k3hmcwd4gj68iid";
+    "webSrcHash" = "sha256-faJiuAmEIEkNrwjgU06XT9J2NxJrJNIsPb1K5WXR0Lc=";
+    "webYarnHash" = "14sy3by840gbxqyvhwaj5k07hvhcsj300s39qjfsg1sx9fnfzck3";
   };
 }

pkgs/applications/networking/instant-messengers/feishu/default.nix

@@ -57,44 +57,25 @@
 , wayland
 , wrapGAppsHook3
 , xdg-utils
+, writeScript
 
-# for custom command line arguments, e.g. "--use-gl=desktop"
+  # for custom command line arguments, e.g. "--use-gl=desktop"
 , commandLineArgs ? ""
 }:
 
-stdenv.mkDerivation rec {
-  version = "6.9.20";
-  pname = "feishu";
-  packageHash = "6085d1c4"; # A hash value used in the download url
-
-  src = fetchurl {
-    url = "https://sf3-cn.feishucdn.com/obj/ee-appcenter/${packageHash}/Feishu-linux_x64-${version}.deb";
-    hash = "sha256-kg5j/vWaCBUjnF983kk0ZMJ+inF5z5ctED9+ITuIn94=";
+let
+  sources = {
+    x86_64-linux = fetchurl {
+      url = "https://sf3-cn.feishucdn.com/obj/ee-appcenter/7e382fc2/Feishu-linux_x64-7.15.13.deb";
+      sha256 = "sha256-CyQmQKfyYcWqpty5LxTNqm73AVnPdm7biBwICkbBEco=";
+    };
+    aarch64-linux = fetchurl {
+      url = "https://sf3-cn.feishucdn.com/obj/ee-appcenter/4c8c2fbf/Feishu-linux_arm64-7.15.13.deb";
+      sha256 = "sha256-nxtu5xOafZ1tlN/f0+5VF2I6ISfHmPJTztOI+AQwp9c=";
+    };
   };
 
-  nativeBuildInputs = [
-    autoPatchelfHook
-    makeShellWrapper
-    dpkg
-  ];
-
-  buildInputs = [
-    gtk3
-
-    # for autopatchelf
-    alsa-lib
-    cups
-    curl
-    libXdamage
-    libXtst
-    libdrm
-    libgcrypt
-    libpulseaudio
-    libxshmfence
-    mesa
-    nspr
-    nss
-  ];
+  supportedPlatforms = [ "x86_64-linux" "aarch64-linux" ];
 
   rpath = lib.makeLibraryPath [
     alsa-lib
@@ -149,6 +130,36 @@ stdenv.mkDerivation rec {
     wayland
     xdg-utils
   ];
+in
+stdenv.mkDerivation {
+  version = "7.15.13";
+  pname = "feishu";
+
+  src = sources.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+  nativeBuildInputs = [
+    autoPatchelfHook
+    makeShellWrapper
+    dpkg
+  ];
+
+  buildInputs = [
+    gtk3
+
+    # for autopatchelf
+    alsa-lib
+    cups
+    curl
+    libXdamage
+    libXtst
+    libdrm
+    libgcrypt
+    libpulseaudio
+    libxshmfence
+    mesa
+    nspr
+    nss
+  ];
 
   dontUnpack = true;
   installPhase = ''
@@ -189,12 +200,38 @@ stdenv.mkDerivation rec {
     ln -sf ${curl}/lib/libcurl.so $out/opt/bytedance/feishu/libcurl.so
   '';
 
+  passthru = {
+    inherit sources;
+    updateScript = writeScript "update-feishu.sh" ''
+      #!/usr/bin/env nix-shell
+      #!nix-shell -i bash -p curl jq common-updater-scripts
+
+      for platform in ${lib.escapeShellArgs supportedPlatforms}; do
+        if [ $platform = "x86_64-linux" ]; then
+          platform_id=10
+        elif [ $platform = "aarch64-linux" ]; then
+          platform_id=12
+        else
+          echo "Unsupported platform: $platform"
+          exit 1
+        fi
+        package_info=$(curl -sf "https://www.feishu.cn/api/package_info?platform=$platform_id")
+        update_link=$(echo $package_info | jq -r '.data.download_link' | sed 's/lf[0-9]*-ug-sign.feishucdn.com/sf3-cn.feishucdn.com\/obj/;s/?.*$//')
+        new_version=$(echo $package_info | jq -r '.data.version_number' | sed -n 's/.*@V//p')
+        sha256_hash=$(nix-prefetch-url $update_link)
+        sri_hash=$(nix hash to-sri --type sha256 $sha256_hash)
+        update-source-version feishu 0 ${lib.fakeSha256} --system=$platform --source-key="sources.$platform"
+        update-source-version feishu $new_version $sri_hash $update_link --system=$platform --source-key="sources.$platform"
+      done
+    '';
+  };
+
   meta = with lib; {
     description = "An all-in-one collaboration suite";
     homepage = "https://www.feishu.cn/en/";
     downloadPage = "https://www.feishu.cn/en/#en_home_download_block";
     license = licenses.unfree;
-    platforms = [ "x86_64-linux" ];
+    platforms = supportedPlatforms;
     maintainers = with maintainers; [ billhuang ];
   };
 }

pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix

@@ -63,14 +63,14 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "telegram-desktop";
-  version = "5.0.1";
+  version = "5.0.6";
 
   src = fetchFromGitHub {
     owner = "telegramdesktop";
     repo = "tdesktop";
     rev = "v${version}";
     fetchSubmodules = true;
-    hash = "sha256-GKKlcNcFPXslyjE7u5t+VLOiEXY8RYjYvBNL+WjpeeY=";
+    hash = "sha256-n3WeyGQCw9fbA/1hZ85mqdm5xuBLjy9qHMcVRb4cmAg=";
   };
 
   patches = [

pkgs/applications/networking/instant-messengers/webex/default.nix

@@ -56,11 +56,11 @@
 
 stdenv.mkDerivation rec {
   pname = "webex";
-  version = "43.11.0.28947";
+  version = "44.5.0.29672";
 
   src = fetchurl {
-    url = "https://binaries.webex.com/WebexDesktop-Ubuntu-Gold/20240311173044/Webex_ubuntu.7z";
-    sha256 = "f84669a2cd974435c6c0f8a6dc5a62c4ef01a3848e36ffcc8077f718be4a3b86";
+    url = "https://binaries.webex.com/WebexDesktop-Ubuntu-Gold/20240521091053/Webex_ubuntu.7z";
+    sha256 = "e155c280d15f2db4b5e638f244319dbec938d6de267f2fed1b4ba2b55fbb8a9b";
   };
 
   nativeBuildInputs = [

pkgs/applications/networking/mailreaders/evolution/evolution-ews/default.nix

@@ -22,11 +22,11 @@
 
 stdenv.mkDerivation rec {
   pname = "evolution-ews";
-  version = "3.52.1";
+  version = "3.52.2";
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    hash = "sha256-TR9OlipFClJnADNQiaOQfZgMB2Z/q9Vmmag06Z2HSrI=";
+    hash = "sha256-qVUPG1PUdANt0jmWJ7MRjrO4QxhBztwO3yFFewlhkUE=";
   };
 
   patches = [

pkgs/applications/networking/mailreaders/evolution/evolution-ews/hardcode-gsettings.patch

@@ -1,8 +1,8 @@
 diff --git a/src/EWS/calendar/e-cal-backend-ews-utils.c b/src/EWS/calendar/e-cal-backend-ews-utils.c
-index b7c65ae..b334198 100644
+index 87b02c6..3fabca6 100644
 --- a/src/EWS/calendar/e-cal-backend-ews-utils.c
 +++ b/src/EWS/calendar/e-cal-backend-ews-utils.c
-@@ -2425,7 +2425,19 @@ e_cal_backend_ews_get_configured_evolution_icaltimezone (void)
+@@ -2484,7 +2484,19 @@ e_cal_backend_ews_get_configured_evolution_icaltimezone (void)
  		if (schema) {
  			GSettings *settings;
  
@@ -24,10 +24,10 @@ index b7c65ae..b334198 100644
  			if (g_settings_get_boolean (settings, "use-system-timezone"))
  				location = e_cal_util_get_system_timezone_location ();
 diff --git a/src/EWS/camel/camel-ews-utils.c b/src/EWS/camel/camel-ews-utils.c
-index dbd9adb..a2372a4 100644
+index 44a20d6..90d5729 100644
 --- a/src/EWS/camel/camel-ews-utils.c
 +++ b/src/EWS/camel/camel-ews-utils.c
-@@ -1553,7 +1553,18 @@ ews_utils_save_category_changes (GHashTable *old_categories, /* gchar *guid ~> C
+@@ -1554,7 +1554,18 @@ ews_utils_save_category_changes (GHashTable *old_categories, /* gchar *guid ~> C
  
  	evo_labels = g_ptr_array_new_full (5, g_free);
  

pkgs/applications/networking/mailreaders/evolution/evolution/default.nix

@@ -44,11 +44,11 @@
 
 stdenv.mkDerivation rec {
   pname = "evolution";
-  version = "3.52.1";
+  version = "3.52.2";
 
   src = fetchurl {
     url = "mirror://gnome/sources/evolution/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    hash = "sha256-aNrtER2t42GMpwjss8q0zZO6UC9a6dXnlwc8OhPinek=";
+    hash = "sha256-pIt0EtE+2sdPbAms+mdmVuahLt8AMM3cJgKawE2j5VE=";
   };
 
   nativeBuildInputs = [

pkgs/applications/networking/remote/dayon/default.nix

@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "dayon";
-  version = "14.0.0";
+  version = "14.0.1";
 
   src = fetchFromGitHub {
     owner = "RetGal";
     repo = "dayon";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-cUaWfOpR0sNq8cRghZVW9mTVhJ5us12/lzucxetiVkg=";
+    hash = "sha256-7XrgPrYKhaUvmXxiZLsduzrbyZRHjPSo+fg4BvlatHQ=";
   };
 
   nativeBuildInputs = [

pkgs/applications/office/p3x-onenote/default.nix

@@ -11,8 +11,8 @@ let
   }.${stdenv.hostPlatform.system};
 
   sha256 = {
-    aarch64-linux = "0plpwymm1bgzbzwk2689lw1fadxdwxzzn5dmayk1ayxz1k3pj9wi";
-    armv7l-linux = "1pvr8f1ccl4nyfmshn3v3jfaa5x519rsy57g4pdapffj10vpbkb8";
+    aarch64-linux = "sha256-HFuxmMo0m4UOxEQVd32LGvbFsOS8jwCCCS6K/YJIIBE=";
+    armv7l-linux = "sha256-JMgYvqkaRw5sfjbKybAkk28KT12+c19dMir2DUN7Ub0=";
     x86_64-linux = "sha256-hr/mPOrliP8Dej3DVE2+wYkb1J789WCkkY3xe9EcM44=";
   }.${stdenv.hostPlatform.system};
 

pkgs/applications/science/biology/sratoolkit/default.nix

@@ -49,7 +49,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     homepage = "https://github.com/ncbi/sra-tools";
     description = "The SRA Toolkit and SDK from NCBI is a collection of tools and libraries for using data in the INSDC Sequence Read Archives.";
-    license = licenses.publicDomain;
+    license = licenses.ncbiPd;
     maintainers = with maintainers; [ thyol ];
     platforms = [ "x86_64-linux" ];
   };

pkgs/applications/science/logic/cbmc/0001-Do-not-download-sources-in-cmake.patch

@@ -1,4 +1,4 @@
-From 206084d2e08198b0b5b67733c407bd3fb74affb1 Mon Sep 17 00:00:00 2001
+From 714f5ebe9ade721abdccf58edfcddba52465cb8d Mon Sep 17 00:00:00 2001
 From: Jiajie Chen <c@jia.je>
 Date: Sun, 2 Jul 2023 22:43:27 +0800
 Subject: [PATCH] Do not download sources in cmake
@@ -8,7 +8,7 @@ Subject: [PATCH] Do not download sources in cmake
  1 file changed, 1 insertion(+), 10 deletions(-)
 
 diff --git a/src/solvers/CMakeLists.txt b/src/solvers/CMakeLists.txt
-index 8bfcf4d13c..6ba858a461 100644
+index daa0853a57..4bcbbdaa47 100644
 --- a/src/solvers/CMakeLists.txt
 +++ b/src/solvers/CMakeLists.txt
 @@ -123,16 +123,6 @@ foreach(SOLVER ${sat_impl})
@@ -16,11 +16,11 @@ index 8bfcf4d13c..6ba858a461 100644
          message(STATUS "Building solvers with cadical")
  
 -        download_project(PROJ cadical
--            URL https://github.com/arminbiere/cadical/archive/rel-1.5.3.tar.gz
--            PATCH_COMMAND patch -p1 -i ${CBMC_SOURCE_DIR}/../scripts/cadical-1.5.3-patch
+-            URL https://github.com/arminbiere/cadical/archive/rel-1.7.2.tar.gz
+-            PATCH_COMMAND patch -p1 -i ${CBMC_SOURCE_DIR}/../scripts/cadical-1.7.2-patch
 -            COMMAND cmake -E copy ${CBMC_SOURCE_DIR}/../scripts/cadical_CMakeLists.txt CMakeLists.txt
 -            COMMAND ./configure
--            URL_MD5 265b1a715000ed3c5b6de36ddd1278a0
+-            URL_MD5 be646831a017f81b300664e58deba1b5
 -        )
 -
 -        add_subdirectory(${cadical_SOURCE_DIR} ${cadical_BINARY_DIR})
@@ -32,10 +32,10 @@ index 8bfcf4d13c..6ba858a461 100644
          target_include_directories(solvers
              PUBLIC
              ${cadical_SOURCE_DIR}/src
-+	    ${cadical_INCLUDE_DIR}
++            ${cadical_INCLUDE_DIR}
          )
  
          target_link_libraries(solvers cadical)
 -- 
-2.40.1
+2.42.0
 

pkgs/applications/science/logic/cbmc/default.nix

@@ -13,13 +13,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cbmc";
-  version = "5.91.0";
+  version = "5.95.1";
 
   src = fetchFromGitHub {
     owner = "diffblue";
     repo = pname;
     rev = "${pname}-${version}";
-    sha256 = "sha256-7DzhGEDS9T6WIjGoxOw9Gf/q+tYNFJDPbQUBV3tbn/I=";
+    sha256 = "sha256-fDLSo5EeHyPTliAqFp+5mfaB0iZXIMXeMyF21fjl5k4=";
   };
 
   nativeBuildInputs = [
@@ -82,7 +82,7 @@ stdenv.mkDerivation rec {
     license = licenses.bsdOriginal;
     maintainers = with maintainers; [ jiegec ];
     platforms = platforms.unix;
-    # https://github.com/diffblue/cbmc/issues/7423
-    broken = stdenv.isLinux && stdenv.isAarch64;
+    # error: no member named 'aligned_alloc' in the global namespace
+    broken = stdenv.isDarwin && stdenv.isx86_64;
   };
 }

pkgs/applications/science/logic/hol_light/default.nix

@@ -1,8 +1,12 @@
-{ lib, stdenv, runtimeShell, fetchFromGitHub, fetchpatch, ocaml, findlib, num, camlp5, camlp-streams }:
+{ lib, stdenv, runtimeShell, fetchFromGitHub, fetchpatch, ocaml, findlib, num, zarith, camlp5, camlp-streams }:
 
 let
+  use_zarith = lib.versionAtLeast ocaml.version "4.14";
   load_num =
-    lib.optionalString (num != null) ''
+    if use_zarith then ''
+      -I ${zarith}/lib/ocaml/${ocaml.version}/site-lib/zarith \
+      -I ${zarith}/lib/ocaml/${ocaml.version}/site-lib/stublibs \
+    '' else lib.optionalString (num != null) ''
       -I ${num}/lib/ocaml/${ocaml.version}/site-lib/num \
       -I ${num}/lib/ocaml/${ocaml.version}/site-lib/top-num \
       -I ${num}/lib/ocaml/${ocaml.version}/site-lib/stublibs \
@@ -22,18 +26,15 @@ let
     '';
 in
 
-lib.throwIf (lib.versionAtLeast ocaml.version "5.0")
-  "hol_light is not available for OCaml ${ocaml.version}"
-
 stdenv.mkDerivation {
   pname = "hol_light";
-  version = "unstable-2023-11-03";
+  version = "unstable-2024-05-10";
 
   src = fetchFromGitHub {
     owner = "jrh13";
     repo = "hol-light";
-    rev = "dcd765c6032f52a0c0bf21fce5da4794a823e880";
-    hash = "sha256-k2RBNDo4tc3eobKB84Y2xr0UQJvef0hv6jyFCaDCQFM=";
+    rev = "d8366986e22555c4e4c8ff49667d646d15c35f14";
+    hash = "sha256-dN9X7yQlFof759I5lxxL4DxDe8V3XAhCRaryO9NabY4=";
   };
 
   patches = [
@@ -46,7 +47,10 @@ stdenv.mkDerivation {
   strictDeps = true;
 
   nativeBuildInputs = [ ocaml findlib camlp5 ];
-  propagatedBuildInputs = [ camlp-streams num ];
+  propagatedBuildInputs = [
+    camlp-streams
+    (if use_zarith then zarith else num)
+  ];
 
   installPhase = ''
     mkdir -p "$out/lib/hol_light" "$out/bin"

pkgs/applications/science/math/fricas/default.nix

@@ -1,20 +1,27 @@
-{ lib, stdenv, fetchurl, sbcl, libX11, libXpm, libICE, libSM, libXt, libXau, libXdmcp }:
+{ lib, stdenv, fetchFromGitHub, sbcl, libX11, libXpm, libICE, libSM, libXt, libXau, libXdmcp }:
 
 stdenv.mkDerivation rec {
   pname = "fricas";
-  version = "1.3.9";
+  version = "1.3.10";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/fricas/fricas/${version}/fricas-${version}-full.tar.bz2";
-    sha256 = "sha256-5RPcffM0GN0l6r8IgHJlwdxwwp2y4kIdJ5M3JnGZCzc=";
+  src = fetchFromGitHub {
+    owner = "fricas";
+    repo = "fricas";
+    rev = version;
+    sha256 = "sha256-T1xDndDnHq/hmhTWWO3Eu0733u8+C8sJMCF6pbLU2GI=";
   };
 
   buildInputs = [ sbcl libX11 libXpm libICE libSM libXt libXau libXdmcp ];
 
+  # Remove when updating to next version
+  configurePhase = ''
+    ./configure --prefix=$out --with-lisp='sbcl --dynamic-space-size 3072'
+  '';
+
   dontStrip = true;
 
   meta = {
-    homepage = "https://fricas.sourceforge.net/";
+    homepage = "https://fricas.github.io";
     description = "An advanced computer algebra system";
     license = lib.licenses.bsd3;
 

pkgs/applications/science/math/sage/sage-src.nix

@@ -61,12 +61,19 @@ stdenv.mkDerivation rec {
       hash = "sha256-uCXchYx26DdxTjR1k2748KCEHPnekKS2fAM7SpyhNvM=";
     })
 
-    # https://github.com/sagemath/sage/pull/37763
+    # https://github.com/sagemath/sage/pull/37763, landed in 10.4.beta2
     (fetchpatch {
       name = "scipy-fault-tolerance.patch";
-      url = "https://github.com/sagemath/sage/commit/547d502ed56f9fd44eb5d9b4ee0824746c60fef7.diff";
+      url = "https://github.com/sagemath/sage/commit/551139c09f26a5da96b1187c3f0dd17b8d80ef84.diff";
       hash = "sha256-PR4przrZ3ieHaW2nSY7l7VhNfrUupu9yCIrXpeyoAgg=";
     })
+
+    # first two commits from https://github.com/sagemath/sage/pull/38100
+    (fetchpatch {
+      name = "sphinx-7.3-update.patch";
+      url = "https://github.com/sagemath/sage/compare/10.4.beta7...d2932e142991b442a3eee5dc4f8949e3f7e6fe5c.patch";
+      hash = "sha256-g6w0ImE0d2ocKnbGMQikcz9eI9r3/gESlA1NrQfGimk=";
+    })
   ];
 
   # Patches needed because of package updates. We could just pin the versions of

pkgs/applications/science/math/sage/sagedoc.nix

@@ -24,10 +24,6 @@ stdenv.mkDerivation rec {
     export HOME="$TMPDIR/sage_home"
     mkdir -p "$HOME"
 
-    # adapted from src/doc/Makefile (doc-src target), which tries to call Sage from PATH
-    mkdir -p $SAGE_DOC_SRC_OVERRIDE/en/reference/repl
-    ${sage-with-env}/bin/sage -advanced > $SAGE_DOC_SRC_OVERRIDE/en/reference/repl/options.txt
-
     # needed to link them in the sage docs using intersphinx
     export PPLPY_DOCS=${python3.pkgs.pplpy.doc}/share/doc/pplpy
 

pkgs/applications/version-management/gitea/default.nix

@@ -86,7 +86,7 @@ buildGoModule rec {
     description = "Git with a cup of tea";
     homepage = "https://gitea.io";
     license = licenses.mit;
-    maintainers = with maintainers; [ disassembler kolaente ma27 techknowlogick ];
+    maintainers = with maintainers; [ ma27 techknowlogick SuperSandro2000 ];
     broken = stdenv.isDarwin;
     mainProgram = "gitea";
   };